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Let's leave the hardware where it is. 



HHSPlDR 


Introducing the software-based 
VoIP solution from Microsoft. It's a 
whole new way to look at telephony. 

As it turns out, that important 
move to VoIP isn't about ripping and 
replacing or big, upfront costs. That's 
because it's no longer about hardware. 

It's actually about software. 

That's right. Keep your hardware— 
your PBX, your gateways, even your 
phones. Add software. Software that 
integrates with Active Directory,® 
Microsoft® Office, Microsoft Exchange 
Server, and your PBX. Simply maximize 
your current PBX investment and make 
it part of your new software-based 
VoIP solution. 

Because what you have is good. 
What you have with the right 
software is even better. Learn more 
a t microsoft.com/voip 


Your potential. Our passion." 

Microsoft 
























































BEST PRODUCTS OF 2007! 


INDUSTRY 

EXCELLENCE 

AWARDS 



20 Windows IT Pro’s 


Industry Excellence Awards 

We honor the products and services in five categories that our readers 
and editors consider the best of the best. 
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21 Editor’s Best 
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35 Community Choice 
Awards 

InstantDoc ID 96405 


_3_7 Best of Tech Ed 

InstantDoc ID 96439 

41 The TechEd Attendee’s 
Pick Awards 
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42 The Best of MMS 
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Access articles online at http://www.windowsitpro.com. Enter the article ID 


FEATURES 


S0LUTI0NS+ 

44 Leverage LVR to Simplify AD Object Recovery 

Upgrading from Windows 2000 Server to Windows Server 2003 requires 
additional steps to fully enable the Linked Value Replication feature. 

InstantDoc I D 96310 —GUIDO GRILLENMEIER 

51 Password Synchronization 

Learn whether one of Microsoft's password synchronization solutions—ILM, 
SFU, HIS, or Services for NetWare—is right for your environment, or whether 
you'd be better off with a third-party product. 

InstantDoc ID 96220 —JAN DE CLERCQ 


Learning PdITi 


SOLUTIONS+ 

58 Deploy a Single Application Through Terminal 
Services 

Although Windows 2008 improves on the ability to present single applications 
from a terminal server, that functionality has been around since Win2K. 

We'll show you how to deploy software to certain desktops at any number of 
locations using only limited resources. 

InstantDoc ID 96337 —NATE MCALMOND 
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Karen Forster 

IT Pro 
Perspective 

Windows Server 
2008 App Compat 

Microsoft is working 
to make the Windows 
2008 logo program a 
meaningful gauge of 
quality for ISVs and IT 


pros. InstantDoc ID 96464 



Paul Thurrott 

Need to Know 
Changes to Windows 
Server Virtualization 

Microsoft trimmed the 
scope of Windows Server 
Virtualization in early 
2007, stripping promising 
features such as live 
migration and hot-add 
hardware support from 
the upcoming release of 
Windows Server 2008. 
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in communications that this software has fostered within my organization.” 


—Don Mora, vice president of technology and CIO 
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REQUIRED READING: EXCHANGE SERVER 

63 Upgrading to Exchange Server 2007 

Before you can upgrade to Exchange 2007, you need to prepare AD and make 
sure your existing organization is set for the change. 


InstantDoc ID 96241 — BRIEN POSEY 


Step by Step to Exchange 2007 ..T36 


OFFICE & SHAREPOINT PRO 


67 High Availability for MOSS 2007 Server 
Farms 

Use a tiered architecture and load-balancing technologies to ensure that your 
SharePoint environment remains up and running. 

InstantDoc ID 96301 —RYAN FEMLING 


Learning Pcath 



TRICKS & TRAPS 


16 Reader to Reader 

Learn how to automatically burn backups to DVDs or CD-ROMs and how the 
Indexing Service can cause your computer to hang. 


WHAT’S HOT 


l Readers Review Hot Products 



Straight talk from readers about the products they use: Zenprise for Exchange/ 
Zenprise for BlackBerry, Atempo LiveBackup, and InfoStreet's StreetSmart. 
InstantDoc ID 96034 — BLAKE ENO 
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TRY TURNING OFF 
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fAODEPV AND YOUR 
COMPUTER, 
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IT Community 

II letters@windowsitpro.com 
__ Directory of Services 

87 Advertising Index 
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88 Ctrl+Alt+Del 
88 Dilbert 



Ben Smith 

The Business End 
Liberate Your Inner Salesperson 

You might not think of yourself as 
a salesperson, but whether you're 
trying to get another rack of servers 
or consensus among stakeholders, 
you're selling. These tips will help 
you do it better. 

InstantDoc ID 96371 



Mark Minasi 

Windows Power Tools 

Thwarting Integrity Attacks with 
Chml 

Dive more deeply into Mark's Chml 
utility, and use the tool to assume 
the System integrity level. 

InstantDoc ID 96306 



Michael Otev 

Top 10 

Windows Server Virtualization 
Features 

This add-on for Windows Server 
2008 facilitates backup and better 
scalability, making virtualization in 
Windows easier than ever. 


InstantDoc ID 96261 


» Learning Pcath 


Article not a perfect fit? Find more resources to match your knowledge and skills. 
Network with authors, peers, product vendors, and Microsoft. 







































ADVERTISEMENT 


The Key to Maximum Performance and 
Reliability for Windows Vista™ and Beyond 



Diskeeper's interface shows fragmentation levels and realtive 
locations of all the files and folders on the selcted volume. 


A SPECIAL REPORT 

W indows Vista has finally arrived, and 
reviewers are hailing it as the best 
OS Microsoft® has ever built. For 
corporations, it boasts robust features such as 
greatly improved security, a wholly new and 
highly versatile user interface, significantly 
simplified software deployment, and broad 
backwards-compatibility. While it may not 
happen right away, most if not all Windows®- 
central enterprises will want to make the move 
to Windows Vista. 

Defragmentation Technology— 
Time for a Change 

It's well known that a high number of sys¬ 
tem slows, crashes, and even file corruption 
and errors can be traced to file fragmentation. 1 
File fragmentation puts your system perform¬ 
ance and reliability in serious jeopardy. It's no 
surprise, then, that substantial performance 
gains from defragmenting, in the range of 
90%, have been documented. 2 

But it's not only the decision to defragment 
your systems that makes the difference. The 
choice of defragmentation technology, both 
before and after your move to Windows Vista, 
is crucial. 

The sheer scope and activity of computer 
systems today has made even scheduled 
defragmentation, once "state of the art," obso¬ 
lete. Disks and files once measured in kilobytes 
and megabytes are now measured in giga¬ 
bytes and terabytes, and the sheer number of 
files has increased tremendously. Testing has 
shown that scheduled defragmentation can¬ 
not keep pace; between defragmenter runs, 
fragmentation simply builds up and continues 
to negatively impact performance. 3 

The True Solution to Maximum 
Performance and Reliability 

Only a completely automatic defragmenta¬ 
tion solution such as Diskeeper 2007—released 
just in time for Windows Vista—will truly keep 
pace with the ever-expanding capacity and 
intense activity on today's disks. Instead of pro¬ 
viding partial benefit when defragmentation 
runs occur, all applications and all files benefit 
from increased performance all the time. 

With its proprietary breakthrough Invisi- 
Tasking™ technology, Diskeeper 2007 defrag¬ 
ments and enhances file systems in real-time, 
with no scheduling needed. Defragmentation is 
now performed on-the-fly, with no performance 


hit on system resources. Your system is consis¬ 
tently faster and more reliable with Diskeeper 
2007—period. In testing against scheduled 
defragmentation, which leaves fragmented files 
behind after running, Diskeeper 2007 consis¬ 
tently eliminates fragmentation to continuously 
provide maximum performance and reliability. 3 
Take advantage of our free 45-day trial and see 
for yourself. 

Plus, Diskeeper 2007 includes Intelligent File 
Access Acceleration Sequencing Technology 
(l-FAAST™) 2.0, specifically designed to deliver 
increased performance, speed and reliability 
above and beyond defragmentation benefits. 

Be Completely Ready for 
Windows Vista 

With its stunning GUIs, Windows Vista 
brings a whole new level of operation to com¬ 
puter interaction. Because of its graphical 
nature, and its support of an ever-widening 
variety of graphical and video-based pro¬ 
grams, enormous files and high-capacity disks 
are the norm. Smooth, fast access to these files 
is vital, especially with applications such as 
business conferencing and video presenta¬ 
tions. Additionally, Windows Vista utilizes con¬ 
siderable resources, and it is vital that applica¬ 
tions offering better performance not drain 
resources from an already taxed pool. 

If scheduled defragmentation cannot keep 
up with current system demands, it will be 
completely lost with Windows Vista. Deploying 
Diskeeper's real-time defragmentation right at 
Vista deployment means that peak perform¬ 
ance and reliability are part of the package, 
and one less headache for an already-over¬ 
worked system administrator. 


With Windows Vista, disk 
activity on servers also reaches 
new demanding heights —and 
Diskeeper Server and Diskeeper 
EnterpriseServer versions are 
right there with advanced tech¬ 
nologies such as Terabyte Volume 
Engine™ 2.0, especially designed 
for fast defragmentation on the 
highest capacity servers. 

Diskeeper's automatic defrag¬ 
mentation is vital during the move 
to Windows Vista as well. 
Deployment of a new OS is no 
mean feat—it means hardware 
upgrades, changes and revisions 
in policy, verification of legacy 
support, carefully controlled soft¬ 
ware deployment, and a long list of other vital 
tasks performed while continually extinguish¬ 
ing fires and maintaining current networks. 
The last things you need during such an evolu¬ 
tion are reliability and performance problems 
from your current systems such as slowed disk 
access and response times. 

And since Diskeeper 2007 already runs on 
Windows Vista, the licenses you buy now will 
be with you every step of the way, all the way 
into and beyond the move to Windows Vista. 

Automatically maximize your system 
performance and reliability now and put disk 
performance problems behind you—for 
Windows Vista and beyond. 


Diskeeper. 

Maximizing Performance and Reliability ® 

— Automatically /™ VV J 


Special Offer 


Try Diskeeper 2007 FREE for 45 days! 

Download: www.diskeeper.com/itpro4 

(Note: Special 45-day trialware is 
only available at the above link) 

Volume licensing and Government / Education 
discounts are available from your favorite 
reseller or call 800-829-6468 code 4417 


For test results, white papers and case studies, 
visit www.diskeeper.com/itpro4doc 

i File Fragmentation White Paper 
2 Article: The Impact of Disk Fragmentation, WindowsITPro 
sWhite Paper: Is Real-Time Defrag Needed? 


■j 



corporation 


© 2007 Diskeeper Corporation. All Rights Reserved. Diskeeper, l-FAAST, InvisiTasking, Maximizing Performance and Reliability—Automatically!, Terabyte Volume Engine, 
and the Diskeeper Corporation logo are registered trademarks or trademarks of Diskeeper Corporation in the United States and/or other countries. All other trademarks are 
the property of their respective owners. Diskeeper Corporation • 7590 N. Glenoaks Blvd., Burbank, CA 91504 • 800-829-6468 • www.diskeeper.com 








































Connecting the IT Community 







“Data Protection and Disaster 
Recovery Tips” 

D iscover a wealth of information about how to protect and 
secure your data in the event of a natural or human-caused 
disaster. You might not be able to predict the exact details of a 
disaster, but you can be prepared with a solid response when 
one strikes. Learn how to prepare a disaster plan to protect your 
organization no matter what happens. 

http://www.windowsitpro.com/go/ebooks/ca/disaster 

?code=augcitc 


“Messaging Management” 

A secure mail and mes¬ 
saging infrastructure is 
fundamental to your busi¬ 
ness, and every organization 
should plan for appropriate 
message hygiene, availability, 
and control services from the 
start. This eBook introduces 
three fundamental mail and 
messaging management ser¬ 
vices—security, availability, and control 
services—and shows you how to imple¬ 
ment them in a Microsoft-centric mail 
and messaging environment. 

http://www.windowsitpro.com/gQy 

ebook/symantec/messaging 

management/?code=augcitc 


“The Essential Guide to 
Questions and Answers 
about Analysis Services 
2005 ” 

icrosoft SQL Server 
2005 Analysis Ser¬ 
vices has been redesigned 
to provide one of the most 
powerful and capable busi¬ 
ness intelligence (Bl) plat¬ 
forms in the world. Analysis Services 
2005 has many features and built-in 
enhancements that provide automatic, 
intelligent solutions to common business 
problems. 

http://www.sqlmag.com/go/essential/ 

proclarity/analysis/?code=augcitc 



^.Office • - 

SharePoint 


Formerly MSD2D.com 


PRO 


.com 


Office & SharePoint Pro: A Message from Dan Holme 

U T * Te are excited to introduce Office & SharePoint Pro to IT profession- 
V V als, developers, and end users who support, extend, and apply the 
Microsoft Office System every day. Up to today, MSD2D.com hosted the most 
exciting community on the Web for SharePoint developers and IT pros. Well, 
we’ve gone through an extreme makeover, and OfficeSharePointPro.com will 
take this community to the next level ... expect OfficeSharePointPro.com to 
become the preferred source of independent, real-world Microsoft Office and 
SharePoint knowledge, training, solutions, answers, and community.” 

http://officesharepointpro.com 



YOUR 

AVVY 

ASSISTANT 


The Missing Link to IT Resources 

H ungry for more product coverage? 

If you’re craving more best-of-the- 
best products, check out SQL Server 
Magazine’s August issue, which high¬ 
lights the SQL Server-related products 
chosen Best of TechEd 2007 and the 
second annual Editors’ Choice Awards— 
our editors’ picks of the best products 
featured in SQL Server Magazine since 
March 2006. Go to InstantDoc ID 96335 
to read more about the following Editors’ 
Choice winners: 

Auditing and Compliance 

Lumigent Audit DB 

Guardium Data Privacy Accelerator 

Backup and Recovery 

Quest Software LiteSpeed for SQL 
Server 

Idera SQLsafe 

Business Intelligence and 
Reporting 

BusinessObjects XI R2 
Tableau Software Tableau 

Database Management Tools 
SQL Sentry Event Manager 
Quest Software Quest Central for 
SQL Server 

Performance and Database 
Monitoring Tools 

Quest Software Quest Spotlight on 
SQL Server 

Symantec i 3 for SQL Server 

Development Tools 

Altova DatabaseSpy 2007 
DataDirect Connect for ADO.NET 

Hardware 
HP ProLiant DL585 
HP ProLiant DL380 G4 

Storage 

IBM System Storage N5000 Modular 
Disk Storage Systems 
EMC CLARiiON CX300 

Most Innovative Technology 

Texas Memory Systems RamSan- 
300 
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LIEBERMANSOFTWARE 


Are local Administrator accounts 
setting you up for a fall? 



www.liebsoft.com/rpm 


LEARN 


MORE! 


Sharing a common password 
across local Administrator accounts 
endangers your networked systems! 

The convenience of using the same local administrator password 
on all your systems comes with a serious downside. If a user cracks the 
password on just one machine, he or she instantly gains peer-level access to your 
entire network. Manually setting, changing, tracking, and auditing these passwords is 
prohibitively difficult — but there is a solution. NEW Random Password Manager 3.0 
gives you the power to easily, dynamically, and automatically manage local administrator passwords. 
Stop the chain reaction before it starts. Get Random Password Manager 3.0 today! 


© Creates unique, cryptographically 
complex passwords across the 
enterprise. 

© Retrieves passwords on demand 
through a secure web interface. 


© Issues temporary administrator 
privileges to delegated users. 

© Eliminates the need for Vista users to 
contact Help Desk when UAC requests 
administrator credentials. 


Microsoft 

GOLD CERTIFIED 

Partner 


DOWNLOAD A FREE EVAL! 

JUG. 


© Re-randomizes recovered passwords 
after a fixed period of time. 

© Supports Windows, Unix, Linux, and SQL 
Server password randomization. 


© Sets up easily; scales from small to 
large environments with no agents 
needed. 


2007 Lieberman Software Corporation. All other trademarks are the property of their respective owners. 







IT Pro Perspective 


Windows Server 2008 App Compat 

Free testing tools for IT and ISVs 


T he new features of a Microsoft release are interest¬ 
ing, but sometimes it's more important to know 
what won’t work with a new release. Windows IT 
Pro Contributing Editor Alan Sugano raised that point in 
a conversation about Windows Vista and Windows Server 
2008. Alan said he continues to deal with Vista app compat 
issues, such as the fact that SonicWALL still doesn't have a 
VPN client for Vista, the BlackBerry redirector still doesn't 
work, and a Vista patch for Outlook Web Access (OWA) is 
required with Exchange Server 2003. Of course, Microsoft's 
Vista certification programs designate whether a software 
product "Works with Windows Vista" or is "Certified for 
Windows Vista." But one problem with these certifications 
is that some ISVs participate in the logo program while 
others choose not to. As a result, the lack of certification 
doesn't necessarily mean that a product won't work just 
fine on Vista. That inconsistency raises the question of how 
useful these logos are for evaluating compatibility. 

With Windows 2008, Microsoft aims to improve the 
logo program and its value for ISVs, as well as IT pros. The 
company solicited feedback about the Windows Server 
2003 certification program. Senior Product Manager Steve 
Bell told me Microsoft "had several Windows Server 2003 
logos that had different levels of criteria and different test 
cases. [That program] provided a very good technical bar 
that applications needed to meet, but it was somewhat 
confusing to IT pros: What does 'Designed for Windows 
Server 2003' [versus] 'Designed for Windows Server 2003 
Enterprise Edition' mean? We wanted to make it easier to 
know that [the new logo] is the standard for mission-criti¬ 
cal applications to run on Windows Server 2008, no matter 
which version. That's why we have only one logo for Win¬ 
dows Server 2008, and that's 'Certified!" (Server Core will 
not have a separate logo because it's an installation option 
that supports a subset of Windows 2008 roles.) 

In addition, as with the Vista program, Windows 2008 
applications can receive a "Works with" label. Whereas the 
"Certified" logo "supports rigorous standards for stability, 
security, reliability, and overall performance," according to 
Microsoft, the "Works with" designation "ensures that an 
application is in compliance with best practices for the most 
common Windows Server 2008 functions." 


A New Approach 

What's important about the Windows 2008 certification, 
Microsoft said, is that it "reduces the cost of certification 
by 50 percent for ISVs, and provides a comprehensive suite 
of new tools to help them achieve certification. It is also 


designed to help customers select software applications." 
Microsoft is trying to remove barriers that previously pre¬ 
vented ISVs from certifying their applications and to get 
as many applications certified as possible to provide the 
consistency lacking in previous logo programs. 

Taking a new approach, the company is making the 
same tools ISVs use to test products available to IT pros 
to test their commercial and homegrown applications 
for compatibility with Windows 2008. Steve emphasized, 
"The logo program is designed for IT pros, as well as ISVs, 
to identify top-performing technologies. The program 
saves IT pros a tremendous amount of time in evaluating 
Windows Server 2008 applications, as well as transitioning 
to 64-bit." 

Steve continued, "For the first time, Microsoft has 
provided certification utilities for Windows Server as a free 
download. These are the same utilities that third-party test 
vendors will use to qualify applications for certification. In 
the past, an ISV would take its application to a third-party 
test vendor, VeriTest, to have that application validated. 
But the IT pro had to have separate policies and methods 
to validate the application once it hit their door, whether or 
not it was certified. The Certified for Windows Server 2008 
tool is a GUI-based wizard-style interface." (You can down¬ 
load the free tool at http://www.innovateonwindowsserver 
.com/learnbuild.aspx.) 



Karen 

Forster 

(karen@windowsitpro 
.com ) is editorial and 
strategy director for 
Windows IT Pro and SQL 
Server Magazine anti for¬ 
mer director of Windows 
Server User Assistance at 
Microsoft. 


The Logo’s Value 

The question is whether ISVs will be motivated to spend the 
time and money required for certification, even with the 
new, less costly process. Does the logo matter in purchas¬ 
ing decisions? Some IT pros do take the logo into account. 
For example, Mike Dragone noted that "vendors that take 
the time to go these extra steps have more robust products 
with fewer issues." 

ISV Phil Lieberman of Lieberman Software Cor¬ 
poration pushed Microsoft to make the logo program 
affordable and achievable for smaller ISVs, and he would 
heartily agree with Mike. As Phil puts it, "The logo is a way 
of measuring the level of investment ISVs are making for 
the future of their customers." Phil is committed to certify¬ 
ing his company's products as a guarantee of quality to his 
customers. 

Whether you're evaluating software for purchase or 
wondering whether existing applications will run on Win¬ 
dows 2008, the new logo tools could prove useful. Let me 
know if you try them out. ^ 

InstantDoc ID 96464 
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Setting an Integrity 
Level to “System” 

Thanks for Mark Minasi's excellent 
Windows Power Tools article, "leads 
Shows Integrity" (June 2007, Instant- 
Doc ID 95681) . I tried the scenario 
Mark describes regarding setting 
an integrity level to "system" using 
psexec. Here's what happened: 
When I set the integrity level to "sys¬ 
tem" on a file, the file was marked 
as Integrity system, but I can delete 
it from Windows Explorer. When 
I set "system" on a directory, the 
directory was marked as Integrity 
system, but I can't remove any file 
in the directory or delete the direc¬ 
tory itself. Any idea why this doesn't 
work on a file? 

—Marc Ochsenmeier 

One of the weird things we learned 
hack in NT 101 is that, unlike every¬ 
thing else in Windows, there are two 
different permissions that allow you 
to delete a file, and you can delete 
a file if you have either. The two 
permissions are the “delete" permis¬ 
sion on the file object itself, and the 
'delete files and folders" permission 
on the folder object that contains the 
file. Because the folder is not System, 
you get to sneak in the back door. 

“Ah," you say, “Then why is it that a 
medium process can't delete a high- 
integrity file sitting in a medium- 
integrity folder?" Simple: Ifiled a bug 
about that during the testing process 
and Microsoft put a patch on it for 
the medium/high situation. They 
never thought to patch the system 
situation. 

—Mark Minasi 


Moving vs. Copying 
on a Server 

Eric Rux makes a good point—"Be 
sure to teach users the difference 
between moving and copying"—in 
his article "Let's Get Organized: File 
Server Basics" (May 2007, Instant- 
Doc ID 95364) . However, it's worth 
noting the technical issue that a 
file/folder move from one folder to 



another on the same server will also 
bring the existing NTFS permissions 
and potentially undo all your good 
set-up work, whereas a copy will 
leave these behind. Perhaps users 
should be encouraged to move files/ 
folders to a structure that is used as 
a staging area and then IT 
staff per¬ 
form a copy 
and delete 
to the final 
destination 
to cleanse 
unwanted 
permissions. 

—Duncan 
Priest 


Stop the 
Spread of 
Malicious 
Software 

I just read Paul Thurrott's article "FBI 
Identifies 1 Million Botnet Victims" 
(June 2007, InstantDoc I D 96323) , 
and I'd like to respond to his com¬ 
ment, "Although the FBI can't find 
every infected PC or contact all the 
owners of these computers..." Maybe 
not, but there is a lot that could be 
done that isn't being done. 

1. ISPs should close port 25 so 
that users are forced to send mail 
through a monitored port on the 
ISP's server. Anyone having a 
legitimate need to have port 25 
open (e.g., a law firm needing its 
own mail server for reasons of confi¬ 
dentiality) can ask to have their port 
25 opened. 

2. Monitor and meter other traffic 
from subscribers to identify infected 
systems. 

3. Institute some kind of sender 
verification. 

4. Go after any US-based busi¬ 
ness that uses spamvertising. 

Granted, some of them likely bought 
their advertising service in ignorance 
that the recipient list is suspect, but 
many choose to look the other way, 
and they must be held to account. 

—Hafizullah Chishti 


Vista Power 
Management 

I just bought an Apple TV, and it sud¬ 
denly dawned on me as I turned off 
the hibernate feature of my Windows 
XP box (so it will always be on when 
I need it to listen to music or watch 
TV programs) that the cur¬ 
rent power management 
models in both XP and 
Vista are lacking when 
you consider using your 
PC as a media device for 
your home. 

I want my PC to do 
the following: 

1. After midnight, 
if my computer is no 
longer in use (and no 
streaming media is 
begin sent from it), 
to go into the lowest 

power-save mode possible (i.e., 
hibernate). 

2. At 6:00 p.m., before I get home 
from work, the computer should come 
back up and be ready to stream media. 

3. Any time the computer isn't in 
use between midnight and 6:00 p.m., 
it should run in the lowest possible 
power state but still listen for stream¬ 
ing media requests and wake up 
immediately when a request is made. 

I have read all about Vista power 
management, and as far as I can tell, 
Vista doesn't do any of the above. Yet 
the items on my list are what I want 
from power management in a media 
hub computer that runs my house. 

—Kendall Bennett 


Thanks for the Tip 

Today I restored my computer to its 
last restore point because it had a 
virus. After that, I couldn't update 
my OS through Windows Update. I 
Googled the problem and bumped 
into your JSI FAQ site and Tip 10651. 
My problem was solved in 5 minutes! 
I love Google, Windowsitpro.com, 
and Tip 10651! # 

—Joris de Bruijn 
InstantDoc ID 96467 
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Windows IT Pro welcomes 
feedback about the maga¬ 
zine. Send comments to 
letters@windowsitpro.com, 

and include your full name, 
email address, and daytime 
phone number. We edit all 
letters and replies for style, 
length, and clarity. 
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What You Need to Know About... 

Changes to Windows Server Virtualization 


F or years, Microsoft has been trumpeting its upcom¬ 
ing release of Windows Server Virtualization, a 
feature of Windows Server 2008 (formerly code- 
named Longhorn Server) that will ultimately ship sepa¬ 
rately from that product. However, 2007 hasn't been kind 
to Virtualization: With development of Windows 2008 
winding down, Microsoft has scaled back dramatically its 
plans for this technology. The result will be a more bare- 
bones experience than the company originally announced, 
with less functionality and less parity with VMware's 
established ESX Server Infrastructure 3 product line. Here's 
what you need to know about changes to Windows Server 
Virtualization. 

Inside Viridian 

Windows Server Virtualization, code-named Viridian, is 
Microsoft's hypervisor-based virtualization solution for 
Windows Server 2008, the next major revision of Win¬ 
dows Server. Windows Server Virtualization will effectively 
replace Microsoft Virtual Server 2005 R2 in the market and 
provides dramatic performance and reliability improve¬ 
ments over that product, thanks to its hypervisor-based 
implementation. That is, unlike host-based virtualization 
solutions like Virtual Server, Windows Server Virtualization 
is so-called "full" virtualization software that runs almost 
directly on the hardware, and not as an application or ser¬ 
vice under a host OS. 

Architecturally, Windows Server Virtualization differs a 
bit from other full virtualization solutions like ESX Server. 
Virtualization is typically installed on the Server Core 
implementation of Windows 2008 though it can also be 
installed on the mainstream versions of that OS. On a Win¬ 
dows Server Virtualization installation, there's an instance 
of Windows 2008 Server Core running in a parent partition, 
with one or more virtualized OS environments running 
in child partitions. With ESX, there's no parent and child 
partition. Instead, each OS installation is virtualized and 
logically runs side-by-side. Although technically inferior, 
the advantage of Microsoft's approach is that Server Core 
benefits from the wellspring of device drivers that have 
been created for Windows. Thus, it should offer superior 
compatibility and reliability. Likewise, as a hypervisor- 
based solution, Windows Server Virtualization will offer 
dramatic performance improvements over host-based 
virtualization environments. 

As a version 1.0 product of sorts, Windows Server Vir¬ 
tualization has gone through a number of permutations. 
Originally, it was to have shipped as an integrated part of 

www.windowsitpro.com 


Windows Server 2008. Then, in 2006, Microsoft announced 
that it would deliver Windows Server Virtualization within 
180 days of Windows 2008 as a free add-on, though the 
company was vague about how that technology would 
be delivered. It promised a first external beta of Windows 
Server Virtualization in the first half of 2007. Then, every¬ 
thing changed. 

What’s Changing? 

In early- to mid-2007, Microsoft announced two changes 
to Virtualization. The first of these announcements came 
in April 2007: Microsoft would no longer be able to deliver 
a public beta of Virtualization before mid-year and would 
instead ship a public beta late in 2007. The company reit¬ 
erated its commitment to ship Virtualization to customers 
within 180 days of the completion of Windows 2008, which 
was still expected by late 2007. 

A month later, Microsoft delivered far more damaging 
news. In addition to the beta delays, the company would 
be cutting several important Virtualization features to meet 
its shipping deadlines. So while this technology would still 
ship within 180 days of the completion of Windows 2008, 
it would be stripped of some expected core functionality, 
dramatically reducing its usefulness to enterprises. Here's 
what's been cut: 

Live migration. Originally, Virtualization was to have 
included a live migration feature that would have enabled 
customers to seamlessly move a running instance of a vir¬ 
tual machine (VM) from one physical machine to another 
without any noticeable loss of service. 

Hot-add hardware. Virtualization drops its ability 
to hot-add RAM, storage, microprocessors, and network 
cards, significantly reducing its ability to scale on the fly to 
increased demands. Now, Virtualization-based servers will 
need to be taken offline to be upgraded with these hardware 
components. 

Processor core support. Virtualization was to have orig¬ 
inally supported up to 32 processor cores per server. (For 
example, a server with eight physical processors, each with 
four processor cores.) Now, it will support just 16 processor 
cores per server, impairing its ability to efficiently serve the 
largest enterprises. 

Microsoft defended the decision to drop functionality by not¬ 
ing, "shipping is a feature too," a somewhat flip assessment 
given the company's repeated promises for this technology. 
On the other hand, I can now report how Microsoft plans 
to ship Virtualization to customers: It will be installed auto- 
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matically via Microsoft Update (or whatever 
Microsoft-oriented update mechanism you're 
using). On supported Windows 2008 systems, 
Virtualization will appear as a standard server 
role alongside other Server Core roles. 

Microsoft vs. VMware 

Microsoft's detuning of Windows Server Virtu¬ 
alization leaves a lot of unanswered questions. 
Compared with competing solutions—espe¬ 
cially mature and full-featured ESX Server- 
Virtualization will come up short, both in 
overall functionality and management capa¬ 
bilities. Given the staggered release schedule 
for Windows Server products, it's unlikely that 
we'll see the missing Virtualization features 
appear before the expected 2009 release of 
Windows Server 2008 R2. But who can say how 
much ESX will improve by that point? 

On the management front, Microsoft will 
ship a separately licensed product called Sys¬ 
tem Center Virtual Machine Manager 2007 
by the end of 2007. This product should be 
considered a necessary part of any Virtual¬ 


ization rollout, given its capabilities: System 
Center Virtual Machine Manager will provide a 
centralized management console for all Micro - 
soft-oriented VMs, physical-to-virtual (P2V) 
and virtual-to-virtual (V2V) conversion utili¬ 
ties, and automated facilities for provisioning 
server hardware for the deployed virtual envi¬ 
ronments. However, we don't know at the time 
of this writing how much Microsoft will charge 
for this product. Arguably, it should be simply 
included free with Windows 2008 if Microsoft 
is serious about promoting its virtualization 
technologies. 

Recommendations 

So what's an enterprise to do? VMware has told 
me that it thinks the market for virtualization 
is big enough to support two major players, 
and I believe this to be the case. However, 
Microsoft's decision to delay and detune Vir¬ 
tualization is going to cause headaches for 
anyone who had expected to standardize on 
Microsoft's technology. My advice is simple: 
Though disappointing, Microsoft's plans for 


Virtualization aren't problematic enough to 
offset the advantages for all but the most 
demanding environments. Microsoft is slowly 
working toward integrating virtualization 
wherever it makes sense in its product lines, 
and with technologies like Microsoft SoftGrid 
and even Terminal Services RemoteApp fill¬ 
ing the virtualization gaps, Microsoft should 
have solutions in place for (ahem) virtually 
any virtualization need by early 2008. What's 
missing, of course, is the depth of functional¬ 
ity and maturity of ESX Server, but then that's 
something that Microsoft was never going to 
achieve with its 1.0 release anyway. Microsoft's 
decision to integrate virtualization capabilities 
into the core OS is the right one for custom¬ 
ers, and the architecture of the system should 
eventually provide reliability and compatibility 
advantages over ESX systems, especially for 
Microsoft shops. As for those moving most 
aggressively into virtualization, your decision is 
a bit more difficult. But then it's likely that such 
companies were already evaluating or using 
ESX by this point anyway. ^ 
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Burn Backups 
Automatically 

You can automatically burn system 
state backups or other crucial files to 
media by using two freeware utili¬ 
ties—Mkisofs and Dvdburn—and a 
short batch file. You use the Mkisofs 
utility to build ISO images of files. 
Mkisofs is part of the Cdrecord free¬ 
ware package, which is available for 
many different platforms, including 
Win32. To download the Win32 ver¬ 
sion of Mkisofs, go to ftp://ftp.berlios 
.de/pub/cdre- 
cord/alpha/win32/ 

cdrtools-l.llal2- 
win32-bin.zip. (Alter¬ 
natively, you can go to 
http://cdrecord 
herlios.de/old/pri- 
vate/ 

cdrecord.html, click 
the Cdrecord down¬ 
load is now on link 
next to the spinning 
CD-ROM image, open 
the alpha folder, open 
the Win32 folder, and 
copy the cdrtools-l.llal2-win32-bin 
.zip file.) Extract mkisofs.exe, which 
is the only executable you need from 
Cdrecord. 

You use the Dvdburn utility to 
burn that image to a medium, such as 
a DVD or CD-ROM. Dvdburn is part 
of the Microsoft Windows Server 2003 
Resource Kit. 

The batch file runs the two utili¬ 
ties. As Listing 1 shows, the first line 
of the batch file creates an ISO image 
of the specified folder (in this case, 
C:\Backup). The second line burns 
the newly created image to the speci¬ 
fied drive for the DVD burner (in this 
case, the E drive). 

Let's try a scenario: Suppose 
your PC is backed up everyday. The 
backup file is saved in the C:/Backup 
folder. Here are the steps you'd take to 
automatically burn that backup file to 
a DVD: 

1. Create a batch file like the one in 
Listing 1 and name it BurnBackup 
.bat. (You can also download this file 
from the Windows IT Pro Web site 


a t http://www.windowsitpro.com. ) 

If you have spaces in the names of 
folders, enclose the names between 
quotes (e.g., "C:\System State Back¬ 
ups" instead of C:\System State 
Backups). 

2. Put Mkisofs, Dvdburn, and 
BurnBackup.bat in the C:/Backup 
folder. 

3. Put a writable DVD in your DVD 
burner. 

4. Execute the batch file manually 
or schedule it using the Control Panel 

Scheduled Tasks applet. 

With this solution, 
you don't need to take 
the time to burn your 
backups. Note that you 
can't burn files larger 
than 4.1GB; the Win32 
version of the Mkisofs 
utility can't read files 
any larger because of a 
coding limitation. 

—Oguzhan Oguz 
InstantDoc ID 96339 

An Unlikely Culprit 
Can Cause 
Computers to Hang 

In my Reader To Reader article "Cre¬ 
ate an MMC Snap-In for Searching 
PDF Files" (March 2007, InstantDoc 
I D 94950) , I expounded on the virtues 
of using Windows' Indexing Service 
to quickly search through mounds 
of files, including .pdf, .doc, .mht, 
.html, and .txt files. I might have 
jinxed myself because after I wrote 
that article, I began experiencing per¬ 
formance problems on my Windows 
XP Professional machine, which 
currently indexes about 6,700 files. 
When I attempted to open Microsoft 
Office files from the Windows desktop 
or Windows Explorer, my computer 
would sometimes hang for two to 
three minutes. (Interest¬ 
ingly, the computer didn't 
hang when I opened files 
from their native applica¬ 
tions, such as Microsoft 
Word or Microsoft Excel.) 


The computer would also hang when 
I tried to do a file search from within 
Windows Explorer. However, I found 
that if I stopped the Indexing Service, 
my computer didn't hang. Leaving 
the Indexing Service disabled wasn't 
an option for me, so I'd restart the 
Indexing Service. Shortly thereafter 
(sometimes as soon as an hour later), 
my computer would start hanging 
again. 

I used the custom Microsoft Man¬ 
agement Console (MMC) snap-in 
that I created (see "Create an MMC 
Snap-In for Searching PDF Files") to 
monitor activities within the Indexing 
Service. The Indexing Service is sup¬ 
posed to throttle back when you're 
using the computer, but I noticed that 
when my computer was hanging, not 
all of the Indexing Service catalogs 
were in the Paused , User Activity state. 

To correct the problem, I 
attempted to tune the Indexing 
Service through the MMC Index¬ 
ing Service snap-in. After stopping 
the Indexing Service, I right-clicked 
Indexing Service on Local Machine , 
chose All Tasks, then selected Tune 
Performance. In the Indexing Ser¬ 
vice Usage dialog box, I selected the 
Used Occasionally option, which sets 
indexing to Lazy and querying to Low 
load. After closing the Indexing Ser¬ 
vice snap-in, I restarted the Indexing 
Service. It wasn't long before I discov¬ 
ered that this change didn't stop my 
machine from hanging. 

I decided to dig a little deeper 
into how the Indexing Service works. 

I learned that the service creates 
temporary working catalogs as part 
of its normal daily operations. A tem¬ 
porary working catalog consists of 
word lists and saved indexes. When 
the Indexing Service indexes a docu¬ 
ment, the index information first goes 
into a temporary word list. When the 
Indexing Service stores an index on 
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disk, it's placed in a temporary saved index. 
Periodically, the Indexing Service merges 
each catalog's word lists and stored indexes 
into a permanent master index, after which 
it deletes all the word lists and deletes all but 
one of the stored indexes. 

You can see how many words lists and 
saved indexes exist for a catalog at any point 
in time by clicking Indexing Service on Local 
Machine in the Indexing Service snap-in and 
looking at the Word Lists and Saved Indexes 
columns, which Figure 1 shows, in the catalog 
summary in the right pane. In Figure 1, note 
the zeros in the third catalog's Word Lists and 
Saved Indexes columns. If you set a particular 
catalog's Include in Index? option to No, these 
columns will always contain zeros. 

After periodically checking the catalog 
summary for several days, I noticed that the 
number of word lists and saved indexes for 
my various catalogs never went down but 
rather increased each day. Apparently, the 
word lists and stored indexes weren't being 
merged into master indexes. 

As an interim solution, I forced each 
catalog to do a master merge by opening the 
Indexing Service snap-in, right-clicking a cat¬ 
alog, then selecting All Tasks, Merge. After a 
short period of time, the numbers in the Word 
Lists column dropped to zero and the num¬ 
bers in the Saved Indexes column dropped to 
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Figure 1: 

Example of the 

Word Lists and 

Saved Indexes 
columns before a 
master merge 
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Figure 2: 


Example of the 
Word Lists and 
Saved Indexes 
columns after a 
master merge 


one, as Figure 2 shows. More 
important, my computer 
didn't hang any more. 

To permanently fix the 
hanging problem, I had to 
determine why my catalogs 
weren't getting a master 
merge. An investigation led 
me to the Main Registry 
Entries Web page (http:// 
msdn2.microsoft.com/en- 



Bret 

Bennett 


us/library/ms692119.aspx) , 

which is part of the Indexing 
Service section in the Platform 
SDK. From this Web page, I 
learned about a registry entry 
named MasterMerge-Time, 
which is under the HI<EY_ 

LOCALJV1ACHINE\SYSTEM\ 
CurrentControlSet\Con- 
trol\ContentIndex key. The 
MasterMergeTime entry's value specifies the 
time (represented as the number of minutes 
after midnight) at which a master merge will 
occur. The range of values is 0 through 1439. 
The default value is 0, which means that the 
master merge will occur exactly at midnight. 

After I read about the MasterMergeTime 
entry, I had my suspicion about what might 
be wrong. When I checked with Microsoft 
Customer Service and Support (CSS), a sup¬ 
port engineer confirmed my suspicion: If a 
machine isn't powered up when the master 
merge is scheduled to take place, the master 
merge won't occur. In addition, the support 
engineer told me that master merges also 
automatically occur after a certain number of 
documents have been indexed and when disk 
space gets low. And as the number of word 
lists and saved indexes increase, the comput¬ 
er's performance degrades. 

The support engineer noted that I had three 
options to stop my machine from hanging: 

• Disable the Indexing Service. 

• Change the MasterMergeTime value to a 
time of day when the machine is powered 
up and can handle the extra CPU overhead 
brought about by the master merge. 

• Manually force a master merge for each 
catalog at regular intervals. 

Disabling the Indexing Service wasn't 
an option for me. Manually forcing master 
merges for each catalog would be too time- 
consuming. So, I opted to change the Master¬ 
MergeTime value. Since I changed the value 


“Ifyour 

computer hangs 
when you're 
opening or 
searchingfor 
files , you might 
want to monitor 
the Indexing 
Service catalogs' 


to a time of day when the PC is 
running but idle, I haven't had 
any more problems with my 
machine hanging because of 
the Indexing Service. 

I also learned one other 
helpful tip from the support 
engineer. By default, XP Pro 
creates catalog indexes for two 
locations: the My Documents 
folder and the default IIS site. 
Typically, the catalog for the My 
Documents folder is at C:\Sys- 
tem Volume Information\cata- 
log.wci, whereas the catalog 
for the IIS site is at C:\Inetpub\ 
catalog.wci. If you want to run 
the Indexing Service because 
you need it for some special 
directories you have, but you 
don't need the ability to search 
the My Documents folder and the default IIS 
site for text strings, you can take one of two 
actions: 

• Not recommended: In the Indexing Service 
snap-in, delete the catalogs for the default 
locations. 

• Recommended: In the Indexing Service snap- 
in, expand the catalog's Directories folder in 
the left pane. In the right pane, double-click 
each directory, which brings up a dialog box 
that has the odd name of Add Directory. In 
this dialog box, change the Include in Index? 
option from Yes to No. If you want to recover 
disk space after this change, you can force a 
master merge on that particular catalog. Note 
that although you can stop the indexing of a 
particular catalog by right-clicking the catalog 
in the left pane and selecting Stop, this action 
only temporarily stops the indexing. The 
indexing of that catalog will resume the next 
time the Indexing Service is started manually 
or the machine boots up (assuming the Index¬ 
ing Service is set to the default startup setting 
of Automatic). 

If your computer hangs or has other 
performance problems when you're open¬ 
ing or searching for files, you might want to 
use the Indexing Service snap-in to monitor 
your catalogs. If the numbers in the Word 
Lists and Saved Indexes columns for your 
catalogs never go down, you likely have a 
problem with master merges. ^ 

—Bret Bennett, President, BRET A. BENNETT 
InstantDoc ID 96343 
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ADVERTISEMENT 


“Undelete* saved my 
office from disaster” 

Joseph Carpenter nearly lost one third of the data on his server due to 
a user error. Thanks to Undelete, he recovered all of the files. But here's 
the catch: Had he installed Undelete before the disaster, he would 
have recovered his data in minutes, rather than hours. 

Here is Joseph's story, in his own words: 





“I consider Undelete a critical part 
of my disaster recovery plan, and 
will never go without it. ” 


11 ■ administer a small network with one 
SBS 2000 server. Both Exchange Server 
2000 and SQL Server 2000 are active. 
This server is also the primary data reposito¬ 
ry. We obviously depend heavily on this one 
server, so disaster prevention and recovery 
planning is an important aspect of my job. 

"I had purchased Undelete several 
months prior to installing it. Because I knew 
a reboot would be required, I had been 
holding out for a weekend rollout opportu¬ 
nity. The 'opportune time' was promoted 
quite suddenly when my office experienced 
an emergency. 

"A user backup synchronization pro¬ 
gram was mis-configured, such that it was 
mistakenly pointed to the file server in the 
wrong direction. Instead of backing up the 
new files, it was going to replace the old 
files. As part of that process, approximately 
one third of the files from the core docu¬ 
ment repository were deleted in a few min¬ 
utes, over 3,500 files were lost before I 
responded to the user's call for help and 


“Without Undelete, anyone 
with a networked server is 
vulnerable” 


stopped the process manually. It was a 
high-adrenaline moment. Imagine a third 
of your business being deleted before your 
very eyes, and you cannot know if there is 


any way to stop it? It was pretty upsetting 
to the guy who did it. Such an innocent 
mistake nearly cost him his livelihood. 

"I stopped all work immediately, and 
disconnected the server from the rest of the 
network. I was able to install and run the 
Emergency Undelete program before any 
affected sectors were overwritten. I worked 


“Imagine a third of your 
business being deleted 
before your very eyes...” 


all night recovering lost files, and then man¬ 
ually replaced the necessary files over the 
course of the next few days. Between a 
combination of the backup, and the recov¬ 
ered files, I was able to restore all of the files 
that were changed since the last known 
good backup. 

"If I had installed Undelete BEFORE this 
happened, I could have fixed the entire 
mess in a few minutes and put the files back 
in their original locations without any has¬ 
sle. I have that protection installed now. 

"Most people do not understand that 
networks do not benefit from the Windows® 
Recycle Bin protections available on the 
desktop, and without Undelete installed, 
anyone with a networked server is vulnera¬ 
ble to the kind of delete event that my office 
experienced. 


"Undelete saved my office from this 
disaster. I now consider Undelete a critical 
part of my disaster recovery plan, and will 
never go without it again. I have also been 
recommending to my consulting clients that 
they install Undelete to form a comprehen¬ 
sive security and disaster recovery strategy." 

—Joseph W. Carpenter 
Big Bear Communications 

Windows server recycle bins don't 
protect files deleted over the network. 
Undelete captures all deleted files, 
allowing them to be restored with just 
a few mouse clicks. Undelete saves so 
much time that it can pay for itself 
with a single recovery! 



Don't wait until disaster strikes! CaN (800) 829-6468 Code: 4345 

Undelete provides real-time data protection with or visit us at www.undelete.com/UD07 

instant recovery—faster than going to backup. TRY UNDELETE FREE FOR 30 DAYS! 
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Editor’s Best 


The Windows IT Pro editors identi- 
fied products in 13 subject areas 
mmm that they specialize in. They tell 
you why these products are worthy of 
your attention, and many of them intro¬ 
duce you to users who are working hap¬ 
pily with Editor’s Best products today. 


Community Choice 
Awards 


Windows IT Pro readers and Win¬ 
dows user group members voted for 
their favorite products in 12 Buyer’s Guides 
published in Windows IT Pro between 
January 2006 and March 2007. Voting 
took place in Windows IT Pro’s forums. 

Our editorial judging panel deter¬ 
mined these products from Microsoft 
Partners at the 2007 Microsoft TechEd 
conference to be the best in their class. 


The TechEd Attendee’s 


IT pros attending TechEd 2007 reviewed 
products and services exhibited on the 
show floor and voted for their favorites. 




These products from Microsoft 
Partners took top honors at the 2007 
Microsoft Management Summit. 


AWARDS 

Wk_ flV .* M H. _ ■! MW ■ Ik, 

Recognizing outstanding products 
and services for IT pros 

W indows IT Pro's Industry Excellence Awards 
honors products and services that our readers 
and editors have identified as having exceptional 
value. Award winners are hardware, software, and services that 
stand out for their practical value and technical innovation. 

The Industry Excellence Awards aren't just a popularity 
contest. Nominees in all categories were considered and 
evaluated by IT pros who work with them every day and by 
the editors of Windows IT Pro, who regularly research, review, 
and report on new and existing product technologies. We've 
combined all this experience and expertise to identify for you 
the best products and services you'll find in any area of IT 
you're interested in. In the following five categories, Windows 
IT Pro readers and editors have chosen products that can help 
you do your job smarter, faster, and more effectively. 


Congratulations to the winners in all five categories. 

The real winners, however, are you, the readers of 
Windows IT Pro. When we search the market to identify 
the products that are the best at what they do, you benefit. 

InstantDoc ID 96394 
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Hardware 

O ur hardware coverage at Windows IT Pro runs the gamut from high-end 
server powerhouses to the tiniest of useful USB storage gadgets, and when 
I peruse that coverage, how can I help but notice the way one monstrous server 
towers over everything? If you’re seeking a true workhorse for a demanding envi¬ 
ronment, I can think of no higher endorsement than this: “The HP ProLiant DL585 
is the fastest system I’ve ever tested.” So says Michael Otey, senior technical editor 
at Windows IT Pro, and reviewer of the system for our July 2006 issue. I spoke 
to him recently about his testing of the system. “This DL585 was one of the first 
dual-core Opteron servers to hit the market, and it provides simply awesome per¬ 
formance,” he said. 

The 132-pound, 4U rack-mounted machine that he tested included four 
AMD 880 Opteron dual-core 2.4GHz CPUs, 2GB of RAM, and a battery-backed 
embedded Ultra3 Smart Array 5i drive connected to four 36GB, I5,000rpm hard 

disks. The system supports a maximum of 128GB of RAM. You can purchase the DL585 with 32-bit Windows Server 2003 
Standard Edition or Enterprise Edition, or with 64-bit Windows 2003 Standard or Enterprise x64 Edition. The DL585 comes 
with HP Systems Insight Manager and Integrated Lights-Out (iLO) management technology. Insight Manager monitors the 
system, letting you manage it remotely or interactively. The iLO technology enables remote management using virtual KVM 

over IP through an embedded Web server. 

The dual-core DL585 can provide a significant benefit on proces¬ 
sor-intensive workloads. During his testing, Michael had trouble cre¬ 
ating a workload that would stress the system. “It’s noteworthy that 
Microsoft’s recent top TPC-H benchmarks were accomplished using 
the DL585,” he said. The use of HyperTransport technology, which 
speeds communication between integrated circuits, is one of the 
main factors in the system’s astonishing performance. 

Michael concluded, “For the enterprise, one of the really nice 
features is that this system is also socket-compatible with AMD’s 
next generation of quad-core processors. Therefore, you can do 
an in-place upgrade, moving from dual-core to quad-core—getting 
an instant boost in processing power—and all you have to do is 
swap the chips and upgrade the BIOS.” 

—Jason Bovberg 



WINNER: 

HP ProLiant 585 
http://www.hp.com 

FINALIST: 

Dell Latitude XI 
http://www.dell.com 

FINALIST: 

Pexagon Technologies Store-lt 
USB 2.0 external hard drives 
http://www.pexagontech.com 
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Interoperability 

H eroix Longitude is monitoring and 
reporting software for heterogeneous 
environments. It runs on multiple Win¬ 
dows and UNIX/Linux platforms and can 
be used to monitor application servers; 
Web servers such as Microsoft IIS and 
Apache; databases such as Microsoft SQL 
Server, MySQL AB’s MySQL, and Oracle; 
Microsoft Exchange email servers; J2EE 
servers; and various network devices. 

Bret Moeller, CIO of Bunker Hill Com¬ 
munity College in Boston, has used Lon¬ 
gitude for two years. His IT environment 
consists mostly of Microsoft products 
but includes Sun Microsystems and 
Apple equipment. He monitors approxi¬ 
mately 50 servers and 70 devices (e.g., 
switches, routers, firewalls)—all on a 24x7 
basis. Before switching to Longitude, the 
college’s previous monitoring solution, 


8 WINNER: 

Heroix Longitude 
http://www.heroix.com 

FINALIST: 

XenSource XenEnterprise 
http://www.xensource.com/ 

products/xen enterprise 

FINALIST: 

Vembu Technologies StoreGrid 
http://www.vembu.com/ 
storegrid/backup-software.html 

according to Bret, “wasn’t dependable 
[and] failed miserably. We didn’t get paged. 
I didn’t know about servers not being 
operational.” But he’s very happy with 
Longitude, “even when I get pages at two 
o’clock in the morning saying the server 
is down.” He appreciates the software’s 


dependability, and he says he’s had no 
major problems with the product. 

In addition to Longitude’s dependability, 
Bret also praises the product’s report¬ 
ing capabilities. The software provides 
graphical reports that show the total hours 
of server uptime and downtime, as well 
as percentages. Bret says he runs these 
reports for his weekly meetings with the 
college president, and he uses them as an 
internal marketing tool to tout his servers’ 
uptime. “Everybody seems to think that an 
hour of downtime is so bad, but [Longi¬ 
tude] plainly shows that [we’ve had] 99.9 
percent uptime, and that one hour in the 
scheme of things isn’t all that bad.” 

In general, Bret says that Longitude 
makes his IT department look good 
because if there’s a problem, they can nip 
it in the bud. He therefore gives the prod¬ 
uct a five-star recommendation. 

— Lavon Peters 




Messaging 

M ost Windows IT Pro readers work 
in Microsoft Exchange Server 
environments, so it’s easy to forget that 
viable alternatives to Exchange exist. For 
small-to-midsized businesses (SMBs) in 
particular, an easier-to-manage, less costly 
mail server can make more sense than 
having an onsite Exchange server that 
requires IT resources and a budget that 
SMBs typically lack. Enter Kerio Technolo¬ 
gies’ Kerio MailServer 6.1. The product, 
which reviewer John Green designated 
Editor’s Choice in “Groupware Alternatives 
to Microsoft Exchange” (August 2006, 
InstantDoc I D 50597) and Michael Otey 
praised in “Kerio MailServer 6.1” (February 
2006, InstantDoc I D 48792) provides a 
budget- and administration-friendly option 
for SMBs that want to host their own email 
services. 



WINNER: 

Kerio MailServer 6.1 
http://www.kerio.com/kms home.html 



FINALIST: 

Azaleos OneServer 
http://www.azaleos.com 


8 FINALIST: 

Zenprise for Exchange 

http://www.zenprise.com/ 

products/exchange.aspx 


Kerio MailServer stands out especially 
for its well-rounded feature set. It includes 
just about everything you’d want for busi¬ 
ness email services—support for SMTP, 
POP3, and IMAP; antispam and security 
features such as Bayesian and content fil¬ 
tering, blacklists and whitelists, and reverse 
DNS lookup; integration with Active Direc¬ 
tory (AD); folder sharing; email address 
aliases, two Web-based email clients 
(including one for mobile devices); support 
for Microsoft Outlook and Apple Macintosh 
clients; and an Exchange migration tool. The 
only feature missing from the product is IM. 

The combination of price (Kerio 
MailServer starts at a base price of $399 
for 10 users) and business-email fea¬ 
tures convinced Roger Mcllmoyle, direc¬ 
tor of technical services for TLC Vision, 
to move from Exchange Server 5.5 to 
Kerio MailServer rather than upgrade to 
Exchange Server 2003. Roger investi¬ 
gated several products but chose Kerio 
MailServer because it would work with 
Outlook as well as the few Macintosh 
users in his organization. 

What made Roger choose Kerio? “It 
just works,” he says. Roger has two Kerio 
MailServers running about 1,500 mail¬ 
boxes and processing on average 40,000 
email messages a day. He has seen users 
send attachments as large as IGB without 
a hitch. In his opinion, “Performance for 
price is just amazing.” 

—Anne Grubb and B. K. Winstead 


Microsoft Products 

I n the past 12 months, Microsoft released 
Windows Vista, Office 2007, Exchange 
2007, Microsoft Office SharePoint Server 
2007 (MOSS), Forefront Client Secu¬ 
rity 2007, System Center Operations 
Manager 2007 (Ops Manager), System 
Center Essentials (SCE), Windows Mobile 
6, Intelligent Application Gateway 2007 
(IAG), and Identity Lifecycle Manager 
2007 (ILM). Selecting among these prod¬ 
ucts to designate my Editor’s Best is like 
comparing apples, oranges, and Jupiter. 

I was leaning toward picking MOSS on 
the basis of its importance to the market, 
value to customers, and the quality of its 
technology. I asked for advice from read¬ 
ers of Vista UPDATE (“How Does Vista 
Rank Among the Past Year’s Microsoft 
Releases?” InstantDoc ID 96088) . Here’s 
what they said: “As soon as you add the 
qualifier ‘provided the greatest value,’ this 
becomes a slam-dunk for MOSS (and 
WSS). While Vista may eventually provide 
great value to the industry, it’s currently 
relegated to more of a curiosity. Without 
the MOSS integration features in Office 
2007, it’s just a new interface on an old 
product. The others are either too limited 
in their use or too new to tell,” said reader 
“hlx.” 

“Yep, MOSS is undoubtedly the biggest 
‘mover and shaker’ in IT (Microsoft’s world 
at least). It’s going to be huge, in small and 
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AUTOMATED EVENT LOG MONITORING & CONSOLIDATION, SYSTEM HEALTH, 
ENVIRONMENT AND NETWORK MONITORING. IN ONE AFFORDABLE PRODUCT. 


Fully loaded 30-day trial. Visit www.eventsentry.com o r call 1-877-638-4587 


Mihai has been working with computers for almost 20 years, 
since the Z80® days. Fluent in four languages, Mihai holds 
almost a dozen certifications, including the CISSP®. 

As a Security Analyst for a multi-national human resources 
solution provider, he manages over 600 Windows® servers 
across the enterprise and has to report to compliance 
auditors on a regular basis. Security, documentation, and 
server monitoring are his greatest concerns. 

"For several years, EventSentry has been critical 
in helping us monitor, archive and report our 
event logs for compliance. We also love the daily 
alerts and performance monitoring features." 
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Mihai Petre uses EventSentry to 
monitor his server environment. 
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WINNER: 

Microsoft Office SharePoint 
Server 2007 

http://office.microsoft.com/ 

en-us/sharepointserver/ 

FXI0049200IQ33.aspx 



FINALIST: 

Exchange Server 2007 
http://www.microsoft.com/ 

exchange/default.mspx 


S FINALIST: 

System Center family 

http://www.microsoft.com/ 

systemcenter 


big businesses alike. The new SharePoint 
Designer is also going to make the pene¬ 
tration of WSS / MOSS much deeper. And 
it does provide the greatest value,” reader 
Paul Schnack said. 

I did choose MOSS because it has 
already had more impact on the market 
than Microsoft’s other recent releases. 
Our publications can hardly keep up with 
requests for MOSS content. In fact, by 
popular demand, we’ve added an Office 
and SharePoint section to this magazine, 
and we’ve even launched a new Web site 
at http://www.officesharepointpro.com. 

Although MOSS’s importance to the 
market and value make it my choice, I 
need to add a caveat. A reader called 
“Goatie” provided the following perspec¬ 
tive, which I’ve edited for length: “We’re 
upgrading our intranet and Internet sites 
to MOSS. Whilst the product is fine, it 
seems to still be rushed. Most of the table 
and object documentation does not exist, 
which makes customizing MOSS (what 
it’s billed as being the best for!) hit-and- 
miss. Until the developer documentation 
appears in any usable quantity, I’d be 
concerned if it was nominated as the 
best product release of the year.” Talk to 
developers who are implementing MOSS, 
and you’ll find strange performance 
issues with no documentation as to what 
the components do and if it is doing it by 
design or not. Counting the number of 
people implementing the product is fine, 
but a better measure is how successful 
the implementations are. 

— Karen Forster 


Mobile and Wireless 

R esearch in Motion’s BlackBerry has become crucial for enterprises, so it’s no 
surprise that troubleshooting and resolving BlackBerry problems is an impor¬ 
tant and time-consuming job for IT administrators. Several vendors now offer 
BlackBerry monitoring and management solutions, but BoxTone for BlackBerry is 
one-of-a-kind because it monitors 
every single email message sent 
to a user’s BlackBerry and collects 
data about the flow of messages to 
these devices, allowing companies 
to be proactive about resolving 
BlackBerry problems. 

Chesapeake Energy in Oklahoma 
City began looking into BlackBerry 
management products after sev¬ 
eral instances in which high-level 
personnel had to wait two or three 
hours for BlackBerry service. 

“We were completely reactive, so 
if anyone was having issues we 
only knew if they called the Help 
desk,” says Chris Cox, Chesapeake 
Energy’s supervisor of IT opera¬ 
tions. Because email is Chesapeake 
Energy’s primary form of communi¬ 
cation, it was imperative that the company’s employees have BlackBerry service at 
all times. 

After evaluating several products—and having the company’s wireless provider 
offer its recommendation—the company decided to purchase BoxTone for Black¬ 
Berry because Chesapeake Energy considered it to be the most mature product 
in the BlackBerry monitoring and management market. The product’s ability to 
integrate with enterprise management products was one of the deciding factors in 
Chesapeake Energy’s decision to purchase BoxTone for BlackBerry. Chesapeake 
Energy had been using BoxTone for BlackBerry for three months at the time of 
this writing, and although the company’s Help desk was still receiving just as 
many BlackBerry tickets as before, IT administrators weren’t spending nearly as 
much time resolving BlackBerry problems. Scott Banks, an administrative services 
supervisor for Chesapeake Energy, estimates that since the company started using 
BoxTone for BlackBerry, its IT administrators are saving at least one hour per Help 
desk ticket because the product troubleshoots BlackBerry problems for them. 
“[Before implementing BoxTone for Blackberry] we were using upwards of 30 per¬ 
cent of our time just tracking down BlackBerry problems,” says Cox. 

— Megan Bearly 


WINNER: 

BoxTone for BlackBerry 
http://www.boxtone.com/products/ 


announcingv3.aspx 


FINALIST: 

Neverfail for RIM BlackBerry 
http://www.neverfailgroup.com/ 


products/app-modules/blackberry 


.aspx 

FINALIST: 

NETGEAR RangeMax 240 Wireless 
Routers 

http://www.netgear.com 


Networking 

he network-management marketplace 
is flooded with products that claim 
to help you better oversee your network 
infrastructure and environment. I talk to 
vendors around the world, and each one 
seems to offer a unique answer to that 
age-old IT administrator plea: How can 
your product make my life easier? 

One network-monitoring product that 
has really stood out from its competi¬ 


tors over the past year is NETIKUS.NET’s 
EventSentry 2.72, a proactive, real-time 
solution that watches over your serv¬ 
ers, workstations, and network devices. 
EventSentry’s primary components—event 
log monitoring, system health monitoring, 
basic network monitoring—might seem 
standard parts of a typical monitoring solu¬ 
tion, but NETIKUS.NET goes further to 
provide open-source flexibility (e.g., with 
its multiple database options), environment 
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WINNER: 

NETIKUS.NET EventSentry 
http://www.eventsentry.com 


& FINALIST: 

FireEye 4200 network security 
appliance 

http://www.fireeye.com/ 

products/42QQ/index.html 


a FINALIST: 

Network Instruments GigaStor 

http://www.networkinstruments 

.com/products/gigabit/Giga 

StorProbe.html 


monitoring (e.g., motion, water, smoke), 
and even a downscaled freeware version 
(EventSentry Lite). 

To get a feel for EventSentry in action, 

I contacted Ron Pugh, senior network 
engineer at Prosper Marketplace. Pugh 
heads up an environment of about 50 
servers running Windows Server 2003. 
Ron had been on the lookout for just the 
right network-monitoring tool and found 
it in EventSentry. “I needed to consolidate 
my Windows event logs for monitoring, 
archiving, and reporting,” he said. “The 
ability to monitor event logs for different 
levels of error messages, types of error 
messages, and the message text within 
those error messages is my favorite and 
most useful feature. And the ability to 
direct any of those messages to be written 
to database or sent to my email/pager is 
most important. I also wanted a place to 
store performance counters so that I could 
report on those.” 

When I met NETIKUS.NET founder 
Ingmar Koecher last year, he struck me as 
a modest guy who’s really invested in the 
happiness of his customers. And it’s easy 
to see why. Koecher started out as a sys¬ 
tems administrator himself, and his mission 
in creating EventSentry was to create an 
affordable, easy-to-use product that IT 
administrators actually enjoy using. “What 
makes our product unique is the way it 
bridges the gap between open-source and 
expensive commercial solutions,” Koecher 
told me. Ron backs up the impression 
of Koecher’s company as customer-ori¬ 
ented: “The customer support is extremely 
responsive. They’ve provided me any fixes 
I need in a timely manner.” 


Ron’s relationship with NETIKUS.NET 
involves give-and-take. “The company has 
implemented a lot of EventSentry improve¬ 
ments on my request—for example, file/ 
directory monitoring and performance- 


counter logging. However, I would like to 
see more drag-and-drop capabilities in the 
administration Ul.” Sounds like Ron has 
another request to put in—and you can bet 
NETIKUS will listen. 

—Jason Bovberg 


I f you’re like most systems administrators, your answers are 
True and False, respectively. Let’s face it—the benefits of 
scripting are undeniable, but learning the craft isn’t exactly 
easy. It takes time and practice. Fortunately, there are auto¬ 
mation products available to do the scripting for you. One of 
the best products I’ve encountered is Network Automation’s 
AutoMate 6.0. Using its drag-and-drop task-building capabil¬ 
ity, you can automate virtually any task in any business pro¬ 
cess without writing any code. AutoMate is also scheduling 
software, so you’re able to not only automate tasks but also 
to configure them to run according to a schedule or when an 
event-based trigger (e.g., a Windows event log entry or an 
exceeded system threshold) occurs. 

The fact that AutoMate has both automation and sched¬ 
uling capabilities is a main reason why the University of Texas M. D. Anderson Cancer 
Center in Houston decided to purchase the product five years ago. “Up until the time 
we got AutoMate, we had not found a tool that did both automation and scheduling 
within a single application,” says Juan 0. Garcia, the center’s systems analyst. “Aside 
from that, most of the automation tools we looked into contained only basic function¬ 
ality. AutoMate went above and beyond that by sending notifications about failures 
and/or successes. It also has some neat error-handling options.” The only feature 
Garcia wishes the product would include is Web deployment capabilities. 

Garcia notes that the Anderson Cancer Center uses AutoMate to automate numer¬ 
ous FTP, data-manipulation, and application tasks. The center automates thousands 
of file and data transfers (via FTP) that occur among the center’s critical nurse-staff¬ 
ing, attendance, and HR systems. The center also automates data-manipulation tasks. 
“Here at Anderson, we have lots of data that comes out of systems, so there’s a lot of 
data manipulation that we have to do. Because it’s repetitive work, we use AutoMate 
to clean up and sort the data.” The application tasks that the center automates are 
the kind of tasks you’d automate with macros but at a more sophisticated level. 

Garcia estimates the Anderson 
Cancer Center is enjoying an annual 
full-time equivalent (FTE) savings 
ranging from 0.5 to 0.8, depending 
on the particular system AutoMate is 
being implemented on. (The highest 
FTE a product can have is 1.0, which 
means it’s equivalent to a full-time 
worker.) Perhaps more important, hav¬ 
ing this product offers peace of mind. 

“Although the IT staff is basically 8 to 
5, the health care staff works 24x7, so 
it’s important for us to have software 
that automatically handles errors and 
notifies IT staff of any problems,” 
explains Garcia. 

—Karen Bemowski 


WINNER: 

Network Automation AutoMate 6.0 
http://www.networkautomation 


.com/automate 


FINALIST: 

Entrigue Systems Script Start 1.5 
http://www.entrigue.net/content 


.php?s=products 

FINALIST: 

ScriptLogic Desktop Authority 7.6 
http://www.scriptlogic.com/ 


products/desktopauthority 


Scripting 
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.INFRASTRUCTURE LOG 

_DAY 25: Our ad hoc security solutions are out of control. 
We’re not prepared for new threats. We’re always playing 
catch-up. We’re leaving ourselves vulnerable and exposed. 

_Gil’s had a security epiphany: high-powered lasers. 
They’re everywhere. I keep zapping myself as I type. 

_DAY 26: I’m taking back control with an end-to-end security 
solution from IBM. Their security service experts can 
come in and help us assess our security needs. IBM Tivoli® 
helps us monitor and respond to threats while managing 
access to our critical information. And the IBM System z™ 
mainframe’s encryption and multilevel security features 
are legendary. 

.That’s great. But it won’t bring back my left sideburn. 


IBM.COM/TAKEBACKCONTROL/SECURIIY 



























Industry Excellence Awards I Editor’s Best 


Security 

I n a year in which data leakage was a hot topic and stories about companies los¬ 
ing control of thousands of customer records became a staple of the nightly news, 
security vendors rose to the challenge, offering encryption and other protection solu¬ 
tions for data that’s stored and accessed within the enterprise as well as traveling 
with an increasingly mobile workforce. A data encryption solution for USB drives, 

RedCannon’s KeyPoint solution, is my Editor’s Best choice in security. 

As John Jeffries, RedCannon Security vice president of marketing, puts it, “USB 
drives are in the enterprise and out of control.” KeyPoint’s value proposition is to 
manage these devices so that they continue to be a convenient vehicle for carry¬ 
ing corporate information but don’t become a security threat. KeyPoint can harness 
a USB drive and turn it into a thin client that performs health checks on the PC it’s 
plugged into, strongly authenticates the user to the corporate network (by using RSA 
one-time passwords), establishes a Juniper VPN connection, and even lets the user 
access applications via a corporate Citrix server. These secure remote-access fea¬ 
tures make KeyPoint stand out in a crowded field of USB drive encryption solutions. 

However, KeyPoint’s main function is to centralize control over all the USB 
drives in your organization. The KeyPoint Alchemy server appliance can provision 
and manage drives from almost any manufacturer, so you can leverage drives that you might already have purchased. You can set 
policies to encrypt any data that’s copied to drives and to lock out or destroy the data on drives that are lost or stolen. Other dif¬ 
ferentiators, according to Jeffries, are that KeyPoint Alchemy can push policies and documents out to the drives and can monitor 
any access of a drive (even when the drive is offline) and report it back to the Alchemy server. Thus you have a complete auditable 
record of the activity on a drive if it’s temporarily misplaced and so can determine what action to take if it’s subsequently recovered. 

— Renee Munshi 


WINNER: 

RedCannon Keypoint 
http://www.redcannon.com/ 


products/alchemy.html 


FINALIST: 

Secuware Security Framework 
http://www.secuware.com/en/ 


products/ssf.html 

FINALIST: 

eEye Digital Security Blink 
Professional Edition with Anti-virus 
http://www.eeye.com/html/ 


products/blink/index.html 


Storage 

I f you own or work in a small-to-midsized 
business (SMB), you know that choosing 
and managing any type of storage technol¬ 
ogy—whether DAS, SAN, or NAS—can be 
difficult. Additionally, you likely have a limited 
staff and resources at your disposal. My pain 
reliever for your storage headache is Store- 
Vault S500. This product is an all-in-one 
storage solution, with NAS and SAN support 
out of the box and ranging in capacity from 
ITB to 6TB. StoreVault is a division of Net¬ 
work Appliance (NetApp) devoted entirely to 
SMBs. StoreVault’s General Manager Sajai 
Krishnan explains, “NetApp created Store- 
Vault for IT generalists—people who work on 
all aspects of IT. And because we’ve typically 
focused on enterprise customers, almost 
ninety percent of the StoreVault division 
staff was brought from the outside to help 
better serve our new customers.” 

I spoke with StoreVault customer 
Gary Hensel, director of IT for FES Sys¬ 
tems, about his reasons for purchasing 
StoreVault S500. Gary told me that one 
of the reasons FES Systems purchased 
the product was because StoreVault is 
part of NetApp. Gary says, “NetApp is a 
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a I WINNER: 

Network Appliance StoreVault 
S500 

http://www.storevault.com/ 

products/hw_s500.html 

a FINALIST: 

Asigra Televaulting 6.2 
http://www.asigra.com/products/ 
televaulting.php 

FINALIST: 

iQstor Networks iQ2880 4Gb Fibre 
Channel Storage System 
http://www.iqstor.com 


great brand and is very highly respected. 
NetApp has always been associated with 
the higher-end market, so when they cre¬ 
ate a division strictly for SMBs, you take 
notice. In fact, we already had a storage 
solution on order from another vendor but 
cancelled when we heard about Store- 
Vault.” Gary also pointed to the product’s 
iSCSI support, which lets him connect 
StoreVault S500 directly to his network, 
turning it into its own file server. He 
also likes the product because it’s very 
affordable, starting at just $6,000. Along 
with the favorable pricing, the product’s 
multiple configurations really help Gary 
configure the unit to his business needs. 
For example, StoreVault S500 supports 
as many as 12 disk drives—right now, FES 
Systems is using 7 of them. 

StoreVault S500’s data management 
features are worthy of mention. The solu¬ 
tion comes equipped with the StoreVault 
Manager, which provides volume manage¬ 
ment, snapshot scheduling, and capacity 
allocation. (For more details about Store- 
Vault S500, see John Green’s compre¬ 
hensive product review in the June 2007 
issue, InstantDoc ID 95847) 

— Blake Eno 
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HIT MALWARE 





Is your network protected against blended malware threats? Cyber criminals are 
using combinations of spambots, worms, trojans, rootkits and social engineering to infect your users’ 
machines. Spyware has morphed into malware. You need protection against these new security threats. 


Surveys show one of the biggest security issues admins see this year is blended malware. Protecting 
your network from the loss of confidential data, employee productivity, and network bandwidth is a 
major issue. 
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CounterSpy Enterprise: The most powerful 
antimalware available: Company-wide malware 
protection requires a real, centralized enterprise 
product. CounterSpy Enterprise is just that: a scalable, 
policy-based tool that delivers a new, revolutionary 
hybrid antimalware technology that provides robust 
protection against blended threats. 

Hybrid antimalware engine with VIPRE 
technology: CounterSpy Enterprise is powered by a 
hybrid engine that merges classic spyware detection and 

remediation with Sunbelt’s new Virus Intrusion Protection Remediation Engine. VIPRE has traditional 
antivirus and cutting-edge antimalware techniques. The upshot? Faster scanning and dramatically less 
system resources. 

Kernel level Active Protection: CounterSpy Enterprise’s Active Protection™ offers signature, 
behavioral and heuristic-based real-time blocking of threats. It works seamlessly with existing desktop 
antivirus solutions. And it has the best threat database in the industry. Period. 
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Download your evaluation copy at: 

www. sunbeltsoftware. com/csewin 



Sunbelt Software 



Find out how many machines in your organization are infected NOW! 


SunbeltSoftware Tel: 1-888-688-8457 or 1-727-562-0101 Fax:1-727-562-5199 www.sunbeltsoftware.com sales@sunbeltsoftware.com 

© 2007 Sunbelt Software. All rights reserved. CounterSpy, VIPRE, Active Protection and ThreatNet are trademarks of Sunbelt Software. All trademarks used are owned by their respective companies. 
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SharePoint 

Y ou’ve most likely heard the business 
catchphrase “location, location, loca¬ 
tion” more than a few times. In today’s 
interconnected world, a more appropriate 
business term might be collaboration, 
collaboration, collaboration, which tech¬ 
nology has made possible no matter your 
location. Businesses have discovered the 
value of Microsoft’s SharePoint collabora¬ 
tion platform for sharing information with 
internal users and are now looking to 
extend that capability to people outside 
the corporate network. Partners, vendors, 
clients, and service providers can all 
benefit from easy information access, but 
opening up SharePoint sites to external 

Peace of mind is 
something IT pros 
want but don’t 
often have. 


entities can create a tremendous burden 
for the IT pros tasked with managing and 
securing these SharePoint sites and their 
users. SharePoint Solutions’ Extranet 
Collaboration Manager (ExCM) for Share- 
Point 2007, my Editor’s Best selection for 
the SharePoint space, can help lighten 
this burden for SharePoint administra¬ 
tors. ExCM is a SharePoint add-on that 
provides provisioning, security, and 
monitoring functionality to extranet sites. 
It also takes advantage of SharePoint’s 



WINNER: 

SharePoint Solutions Extranet 
Collaboration Manager for 
SharePoint 2007 
http://www.software.sharepoint 
solutions.com 



FINALIST: 

Quest Software Site Administrator 
for SharePoint 
http://www.quest.com/site- 

administrator-for-sharepoint 


a FINALIST: 

Commvault Galaxy Backup & 
Recovery 

http://www.commvault.com/ 
backup and recovery.asp 


form-based authentication (FBA), which 
simplifies the user logon experience and 
provides a wide range of options for stor¬ 
ing extranet user data separately from 
your internal user accounts. 

To get a customer’s perspective on this 
solution, I talked with Dave Chan, senior 
systems administrator for Draftfcb, a large 
advertising agency with headquarters in 
Chicago and New York City. He said, “We 
chose SharePoint Solutions’ ExCM because 
we needed a way to manage external 
users (e.g., clients, vendors) accessing our 
SharePoint sites. There are several ways to 
manage those users out-of-the-box: either 
by creating Active Directory accounts, cre¬ 
ating a separate AD farm for external users, 
or using a straightforward FBA model, but 
those options wouldn’t have solved the sys¬ 
tem administrators’ major problem of user 
management.” He said that the one feature 
that stands out for him is the invitation 
option. This option lets delegated admin¬ 
istrators (which can be established per 
site collection) invite new users and takes 
user management away from the systems 
administrators and assigns it to the site 
collection owners. After thorough internal 
testing of ExCM, David believes it will fully 
meet his company’s needs. 

—Gayle Rodcay 


Systems 

Management 

P eace of mind is something IT pros want 
but don’t often have—there’s always 
something, somewhere, that can and will 
go wrong with your system. In the huge 
number of systems management products 
that come across my desk, I’ve seen many 
solutions that deal with Active Directory 
(AD), Group Policy, identity and access 
management, and Help desk management. 
But for sheer peace of mind, one solution 
stands out: NetPro’s ChangeAuditor, a 
real-time auditing and reporting solution 
that details changes to AD, file servers, and 
Microsoft Exchange. 

As Senior Windows Administrator, 
Microsoft MVP, and Windows IT PRO con¬ 
tributor Eric Rux says, “I’ve written about 
file security and how to set it up. But what 
about after the fact—one year after you set 
up your new file structure, is it still in good 
shape? Have the users been following the 
rules? I inherited my current AD, so some¬ 
times I wonder what the previous admin 



WINNER: 

NetPro ChangeAuditor 
http://www.netpro.com/products/ 

changeauditor/index.cfm 



FINALIST: 

LANDesk Service Desk 

http://www.landesk.com/products/ 

servicedesk 


a FINALIST: 

FullArmor Endpoint Policy Manager 
http://www.fullarmor.com/ 
products-fullarmor-endpoint- 
policy-manager.htm 


did before he left. I would use this product 
to put my mind at ease.” 

Charles Campbell, manager of end- 
user computing at a US port authority that 
oversees a seaport and several airports, 
echoes Eric when he says, “It’s great peace 
of mind.” Charles says his biggest challenge 
is keeping disparate systems up and run¬ 
ning. “We’ve got so many systems based 
on so many OSs. We have everything from 
desktops and servers to access control for 
doors and cameras and parking systems.” 
Before ChangeAuditor, Charles used GFI 
LANguard security tools. The reason he 
chose ChangeAuditor was that the interface 
seemed easy to use and was simple but 
powerful. ChangeAuditor did a lot more than 
previous tools and included AD monitoring. 

“It’s lived up to our expectations,” 
Charles says. “One thing it’s done is allow 
us to give more access rights to lower- 
level staff. This frees up our higher-level 
staff to do value-added tasks.” ChangeAu¬ 
ditor keeps all information in a database, 
and you can run reports on what people 
are doing, including all users, groups, and 
passwords added. Charles says, “It gives 
our system administrators metrics.” 

Charles likes ChangeAuditor’s instant 
alerting function, which proved itself by 
catching some consultants who were doing 
their job. “We had security guys come in to 
do testing. They tried elevating privileges 
using a hack and we caught them. Stopped 
them in five minutes.” 

Would Charles recommend Change- 
Auditor? He says, “Anyone who has AD 
in their shop should seriously look at this 
product. It pays for itself. It’s made our sys¬ 
tem the best it could be.” 

— Caroline Marwitz 
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busi-ness 
pro-cess 
automation 

[biz-nis pros-es | aw-tuh-mey-shuhn] 



The replacement of a manual business process with an automated 
one, usually through the use of ad vanced technologies. 


AutoMate 


The Business Process Automation Server from Network Automation 


Automates business & IT processes 

Eliminates the need for job schedulers, scripts & batch files 


Visit WhatlsBPAServer.com to learn more about BPA Server 7 and how the 
world leader in Business Process Automation is advancing the field. Again. 
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Training and Certification 

M y Editor’s Best choice in Training and Certification is 
AppDev’s KSource Online Learning. KSource’s rich 
media IT training modules help consulting companies like 
Magenic Technologies fill in their training gaps and stay 
on top of business. Minnesota-based Magenic has built a 
reputation as one of the technology industry’s most trusted 
consulting companies. A Microsoft Gold Certified Partner, 
Magenic this year won Microsoft’s Worldwide Partner Award 
for Technical Innovation 
in Custom Development 
Solutions. “Our firm 
is well-known for our 
extremely experienced ' f ■ RJPI 

Microsoft technologists,” > ^ V - 

says Tony Mohl. Tony ,*•*>-*" ~ * 

manages Magenic’s ^ 

Delivery Center, which —--— \ ^ 

allows the company to ■ — \ \ I 

execute consulting proj¬ 
ects without having to ■ W 
be on a customer s site. ■ 

This reverse outsourcing 
(which, because Magenic 
is located in the land of I 
10,000 lakes, the com- r® 

pany refers to as “lake- I 
sourcing”) requires that 
Magenic consultants be 
deeply versed in Micro¬ 
soft technologies. Until 
three years ago, Magenic 
hired consultants who 

had experience with all areas of Microsoft’s technology. How¬ 
ever, the proliferation of technologies such as SQL Server and 
SharePoint and new scripting languages made finding consul¬ 
tants with the right experience a difficult task. 

Today, Magenic can hire professionals with in-depth 
knowledge of a few technologies and let KSource’s topic- 
based training modules bring them up to speed with the rest. 
Since implementing KSource, Magenic has seen a significant 
ROI in soft costs. “Before KSource, I had our employees 
training out of costly textbooks and then passing ad hoc 
technical exams before I could place them on a customer’s 
project,” Tony says. The whole process took an average of 
five to six weeks and usually included a costly Microsoft boot 
camp. Using KSource, we can train employees in two weeks, 
courses and exams included, and they retain a higher degree 
of Microsoft knowledge.” KSource is available in both hosted 
and installed configurations, but Tony says that what really 
sets AppDev apart is customer service. He says, “When a 
new module comes out, I get it implemented almost instan¬ 
taneously, and I can get legacy courses, such as Visual Basic 
6, on demand. The AppDev team is fantastic to work with.” 

—Sam Davenport 


Virtualization 


WINNER: 

AppDev KSource Online Learning 
http://www.appdev.com 

FINALIST: 

Kaplan IT Transcender 
http://www.transcender.com 

FINALIST: 

Kaplan IT Self Test Software 
http://www.selftestsoftware.com 


V irtualization is the future of computing, not only for server 
consolidation but also at the desktop level. If you haven’t 
already begun looking into the technology, you will soon. It’s inevi¬ 
table, whether you’re a large corporation looking to tame bloat or 
a smaller company needing to simplify administration and reduce 
costs. If you head up a small-to-midsized business (SMB), you’ve 
probably turned first toward VMware, probably the most well- 
known virtualization platform on the planet. VMware offers all the 
features you need, but perhaps you’ve been a bit intimidated by 
that company’s pricing structure. Virtual Iron Software 
is positioned in the market as a strong VMware competi¬ 
tor—with much of the same functionality at a fraction of 
the price. Virtual Iron 3.1, my Virtualization Editor’s Best 
choice, the company’s enterprise-class virtualization plat¬ 
form, is based on the open-source Xen hypervisor and 
runs unmodified 32-bit and 64-bit Windows and Linux 
OSs with near-native performance. Using Virtual Iron’s 
Virtualization Manager, you can control, monitor, modify, 
and automate virtual resources. 

To get a feel for Virtual Iron in the real world, I spoke 
with Paul Joncas, CEO of Meganet Communications, 
an ISP/managed services company with 23 employees. 
Meganet’s environment, characterized by many standalone 
servers, faced mounting space, heat, and power-usage 
problems. Paul tried various methods to increase efficiency 
and eventually faced the prospect of virtualization. He told 
me, “We spoke with three companies, including VMware 
and Virtual Iron, and we zeroed in on Virtual Iron immedi¬ 
ately, for several reasons. First, Virtual Iron offered a lot of 
the same features as VMware, which was great because we 
felt that we weren’t a big enough fish for VMware. Second, 
Virtual Iron’s pricing was certainly attractive—about $600 
or $700, compared with $4000 for VMware—although 
price wasn’t really the determining factor for us. What it really came 
down to was the eagerness and availability of Virtual Iron’s sup¬ 
port for even the most minute, seemingly trivial questions. We were 
about to move into a totally different world, from standalone servers 
to a virtualized environment, so we obviously didn’t take this very 
lightly. Virtual Iron gave us all the attention we needed.” 

Today, Paul talks enthusiastically about his new streamlined 
server room: 

“We’re realizing big 
electricity savings 
and heat reduc¬ 
tion. Over the next 
six months, we’re 
looking forward 
to further empty¬ 
ing out our server 
room and having 
everything running 
on the Virtual Iron 
platform.” ^ 

—Jason Bovberg 
InstantDoc ID 96395 



WINNER: 

Virtual Iron 3.1 

http://www.virtualiron.com/ 

products/index.cfm 

FINALIST: 

Vizioncore esxReplicator 

http://www.vizioncore.com/ 

esxReplicator.html 

FINALIST: 

VMware ESX Server 2.0 
http://www.vmware.com/products/ 

vi/esx 
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Automate your organization's business 
processes with custom SharePoint workflow. 



Microsoft 
SharePoint 2007 



We wrote the book 
on it. 


EPC Croup was founded in 1997 and 
offers a full range of SharePoint and 
custom .NET Application consulting 
services. From enterprise 
architecture design to custom 
workflow development to global 
SharePoint content management 
solutions, EPC Group has stood the 
test of time. Now, in our tenth year, 
we are one of the nation's leading 
SharePoint consulting firms offering 
powerful and cost effective enterprise 
portals, Intranet and Internet facing 
solutions, and content management 
systems. EPC Group has performed 
over 450 SharePoint implementations 
with its tried and true 
methodologies,best practices, and 
lessons learned. 



WSS 3.0 Inside Out By 
Errin O'Connor 



5090 Richmond Ave 
Suite 336 

Houston, Texas 77056 
Toll Free: (888) 381-9725 
Phone (832) 482-6063 
Fax: (832) 550-2922 
www.epcgroup.net 
sharepoint@epcgroup.net 







Replicating Selected 
Virtual Machines 
Just Got Easy & Affordable 

esxReplicator from Vizioncore Inc. 
lets users of the VMware platform 
select specific VMs and replicate them 
to remote locations, creating an 
effective, practical and affordable 
DR/BC strategy for any size business. 



vizioncore 

Enhancing VMware® Infrastructure 


Visit www.vizioncore.com 
for more information 
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COMMUNITY 



CHOICE 

AWARDS 


Antispam Solutions 
for Business 

(from the January 2007 Buyer’s Guide, 
InstantDoc ID 94326) 

Winner 

IronPort Systems C-Series 
Email Security Appliance 

http://www.ironport.com/products/email. 

security appliances.html 

Runners-up 

Barracuda Networks Barra¬ 
cuda Spam Firewall 400 

http://www.barracudanetworks.com/ns/ 

products/spam overview.php 

Postini Perimeter Manager 
Enterprise 

http://www.postini.com 


Change and 
Configuration 
Management Tools 

(from the August 2006 Buyer’s Guide, 
InstantDoc ID 50620) 

Winner 

Microsoft Systems 
Management Server 
2003 R2 

http://www.microsoft.com/technet/ 

prodtechnol/eval/sms2003/default.mspx 

Runners-up 

Altiris Client 
Management Suite 

http://www.altiris.com/products/ 

clientmanagementsuite.aspx 


HP OpenView Configuration 
Management Solutions 

http://h20229.www2.hp.com/solutions/ 

ascm/index.html 

Best Voter Comment: 

I’ve been with SMS since 1.2 days (boy, 
was that hard at times), and am glad that 
Microsoft finally decided with 2003 that 
they were going to not only continue the 
lineage but actually spend some time and 
resources improving the product. It’s finally 
reached the stage where we keep want¬ 
ing more from the product rather than just 
asking for it to work as promised, so the 
maturing has come with age (hey, it only 
took a dozen years). 


Exchange Management 
Software 

(from the October 2006 Buyer’s Guide, 
InstantDoc ID 93229) 

Winner 

Microsoft Exchange Server 
2003 Management Pack for 
MOM 2005 

http://technet.microsoft.com/en-us/library/ 

aa996l35.aspx 

Runners-up 

Lucid8 GOexchange 

http://www.lucid8.com 

eports for Mi¬ 
crosoft Exchange Server 

http://www.promodag.com/products/ 

reports/description.aspx 


Best Voter Comment: 

Back in the days of Exchange 5.5, we 
struggled with bloated stores and were 
forced to come in on weekends and do 
defrags. I have to admit that I focused on 
the store size and didn’t pay attention to 
errors and warnings and worked another 
weekend to defrag my stores and caused 
a major corruption. After working with 
Redmond support I was able to get things 
live. Then I discovered GOexchange a few 
years ago before we migrated to Exchange 
2003 and now I never worry. Every time 
we run the product it comes back with 
new problems that it corrected. I swear by 
this tool. The support department is awe¬ 
some too, not outsourced, and they’ll help 
you get things resolved. 


Host-Based Intrusion 
Prevention Systems 

(from the March 2006 Buyer’s Guide, 
InstantDoc ID 49076 

Winner 

Symantec Critical 
System Protection 

http://www.svmantec.comenterprise/ 

products/overview.jsp?pcid=l322&pvid=928_l 

Runners-up 

eEye Digital Security Blink 
Endpoint Vulnerability 
Prevention 

http://www.eeye.com 

McAfee Host Intrusion 
Prevention 6.0 

http://www.mcafee.com/us/enterprise/prod 

ucts/host_intrusion_prevention/index.html 

iSCSI Storage Arrays 

(from the April 2006 Buyer’s Guide, 
InstantDoc ID 49404) 

Winner 

HP ProLiant Storage Server 
with iSCSI Feature Pack 

http://hl8006.wwwl.hp.com/storage/disk_ 

storage/storage_servers/index.html 

Runners-up 

Adaptec Snap Server Series 

http://www.adaptec.com/en-us/products/ 

iscsLprod 

Dell EMC AXIOOi 

http://www.dell.com 
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KVM over IP Switches 

(from the February 2006 Buyer’s Guide, 
InstantDoc ID 48825) 

Winner 

Black Box Network Services 
ServSwitch Series 

http://www.blackbox.com/catalog/ 

category.aspx?cid=537 

Runners-up 

Avocent DSR Series 

http://www.avocent.com/web/en.nsf/ 

content/datacentertable 

Raritan Computer 
Dominion Series 

http://www.raritan.com 


Light Database Tools 

(from the March 2007 Buyer’s Guide, 
InstantDoc ID 95091) 

Winner 

Microsoft SQL Server 2005 
Express Edition 

http://www.microsoft.com/sql/editions/ 

express/default.mspx 

Runners-up 

Microsoft SQL Server 2005 
Compact Edition 

http://www.microsoft.com/sal/editions/ 

compact/ssceoverview.mspx 

MySQL AB MYSQL 5.0 

http://www.mysql.com 


Network 
Monitoring Tools 

(from the December 2006 Buyer’s Guide, 
InstantDoc ID 93841) 

Winner 

NETIKUS.NET EventSentry 

http://www.eventsentry.com 

Runners-up 

Quest Spotlight on Active 
Directory 

http://www.quest.com/spotlight-on-active- 

directory 

TNT Software ELM 
Enterprise Manager 

http://www.tntsoftware.com/products/ 

elmenterprisemanager.aspx 


SharePoint Antivirus 
Solutions 

(from the July 2006 Buyer’s Guide, 
InstantDoc ID 50312) 

Winner 

Symantec AntiVirus 4.3 for 
Microsoft SharePoint 

http://www.svmantec.com/en/uk/ 

enterprise/products/overview 

.jsp?pcid=l008&pvid=829 l 

Runners-up 

Microsoft Antigen for 
SharePoint 

http://www.microsoft.com/antigen/default 

.mspx 

Trend Micro PortalProtect for 
SharePoint 1.6 

http://us.trendmicro.com/us/products/ 

enterprise/portalprotect/index.html 


Two-Factor 
Authentication Tokens 

(from the June 2006 Buyer’s Guide, 
InstantDoc ID 49938) 

Winner 

RSA USB 

Authenticator 6100 

http://www.rsa.com 

Runners-up 

CRYPTOCard UB-1 
USB Token 

http://www.cryptocard.com/products/ 

crypto%2Dtokens/ub%2Dlusbtoken 

Entrust USB Tokens 

http://www.entrust.com/tokens/index.htm 

Best Voter Comment: 

I’ve been involved in a few projects incor¬ 
porating the RSA two-factor authentica¬ 
tion products and have always found them 
a powerful addition to the overall solution. 
This is especially true in solutions with 
remote VPN access or email access with 
Microsoft ISA Server, which includes the 
RSA agent in the shipped software, allow¬ 
ing for very easy integration. Being the 
industry leader in two-factor authentica¬ 
tion definitely helps in integration projects. 


Ultra-Portable Laptops 

(from the January 2006 Buyer’s Guide, 
InstantDoc ID 48496) 


Winner 

IBM/Lenovo 
ThinkPad X Series 

http://www.lenovo.com 

Runners-up 

Dell Latitude XI 

http://www.dell.com 

Sony VAIO T Series 
Notebook 

http://b2b.sony.com/solutions/ 

subcategory/notebooks/t-series 

Best Voter Comment: 

Now that I’ve had a taste of what IBM/ 
Lenovo delivers, I won’t even think about 
other vendors’ products without first com¬ 
paring them to IBM/Lenovo products. I 
used to be an HP fan, but I’ve found that 
HP’s support has gone down the drain, and 
the company doesn’t build the same kind 
of quality into its products that it has in the 
past. I had to send in one product six times 
before HP got it right. I hope others have 
had better luck. 


Essential UPS 

(from the May 2006 Buyer’s Guide, 
InstantDoc ID 49708) 

Winner 

APC Smart-UPS Series 

http://www.apc.com/products/family/ 

index.cfm?id=l65 

Runners-up 

Belkin F6C100, F6C1250, and 
F6C1500 

http://www.belkin.com 

Tripp Lite SmartPro Series 

http://www.tripplite.com/products/ups/ 

ups smartpro.cfm 

Best Voter Comment: 

I’ve used the APC units for over 10 years 
and always found them very reliable. Other 
than the batteries eventually failing like all 
batteries do after 4 to 5 years of continu¬ 
ous use (boy, do they get heavy after lug¬ 
ging them all over the place to replace), my 
only complaint would be the management 
software. We use the business edition but 
find that some of the history graphs for 
the units are only retained for 24 hours, 
which isn’t much good when you’re trying 
to diagnose an intermittent problem. ^ 

InstantDoc ID 96405 
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Best of TechEd I Industry Excellence Awards 


BEST OF 



TECH'ED 


Editor’s Note: See our sister publication, SQL 
Server Magazine, for the Best of TechEd winners 
in Business Intelligence, Database Development 
and Administration, Developer Tools and 
Technologies, Web Development, and Most 
Innovative Technology. Go to http://www.sqlmag 
.com and enter InstantDoc I D 96296. 

Best Architecture Product 

Appistry Enterprise 
Application Fabric 

T he complexity of today’s computing 
environments creates challenges for 
developers and administrators who must 
make disparate systems work together and 
squeeze the best performance possible 
from every application on the network. 
Appistry Enterprise Application Fabric 
works at the application layer to provide 
scale-out virtualization, application-level 
fault tolerance, and automated manage¬ 
ment. The company’s “scale without fail” 
mantra is well suited to organizations run¬ 
ning computational applications, image 
processing, and database transformations. 
Appistry Enterprise Application Fabric’s 
support for Linux and Windows OSs and 
.NET, Java, and C/C++ development envi¬ 
ronments provides a competitive advantage. 

—Amy Eisenberg 

Best Business 
Application Product 

Nintex SmartLibrary 

N intex SmartLibrary extends Share- 
Point Team Sites with advanced 
document management. Because Smart- 
Library is built on Microsoft .NET technol¬ 
ogy, it fully integrates with SharePoint 
sites to maintain SharePoint’s look and 
feel, and no additional software is required 
on client machines. A customizable 
workflow process lets you easily design 
workflows by using drag-and-drop func¬ 


tionality. Workflow features include serial 
and parallel approval at the document and 
folder level, progress reporting, reviewer 
comments, and customizable email alerts. 
SmartLibrary augments SharePoint docu¬ 
ment libraries with change auditing, sta¬ 
tistic reporting, and document undelete 
features and includes the ability to publish 
approved documents to other systems. 

—Blake Eno 

Best Connected 
Systems Product 

Neudesic Legacy 
Modernization with BizTalk 
Server 2006 and Host 
Integration Server 2006 

E nterprises often use a reliable IBM 
mainframe or midrange system to run 
their line-of-business applications. But 
Windows is the preferred front end for new 
capabilities that need access to those 
systems, such as a check-out kiosk in a 
hotel lobby that must work with an IBM 
iSeries system. IBM on one side, .NET on 
the other—how do you get them to work 
together? BizTalk Server and Host Integra¬ 
tion Server can help, but a successful 
implementation requires someone who 
understands both IBM and Microsoft tech¬ 
nologies. You might have experts on both 
sides, but they don’t speak the language of 
those across the technological divide. An 
expert in legacy modernization from Neude¬ 
sic can bridge the language gap and make 
the difference between a long, painful imple¬ 
mentation and a quick, successful one. 

—Barb Gibbens 

Best Management Product 

Opalis Integration Server 

O palis Integration Server is a Run Book 
Automation solution that replaces 
repetitive manual tasks with automated IT 


best practices. Opalis Integration Server 
implements ITIL process automation, 
including problem-diagnostic, escalation, 
and repair processes; change management 
processes; and maintenance routines. It 
ensures compliance by automating manual 
audits and remediation, minimizing human 
intervention and thus reducing risk. Opa¬ 
lis Integration Server provides an easy 
four-step process for building customized 
workflows that requires no scripting. By 
eliminating repetition and reliably automat¬ 
ing standard IT processes, Opalis Integra¬ 
tion Server gives IT the freedom to deal 
with exceptions and the focus to support 
the business. 

—Dianne Russell 

Best Microsoft 
Management Product 

System Center 
Essentials 2007 

|Y A anagement” covers a broad 
IVI range of products—from large- 
enterprise IT infrastructure tools to small 
point solutions. Microsoft System Cen¬ 
ter Essentials 2007 supplies a robust 
management solution to an overlooked 
segment of the market: companies in 
the middle tier. System Center Essen¬ 
tials brings to midsized companies an 
integrated management solution that 
suits a wide variety of implementations. 
Tuned out of the box and easy to install 
and set up, System Center Essentials 
provides comprehensive monitoring and 
reporting, update management, software 
deployment, and software and hardware 
inventory capabilities. By providing a uni¬ 
fied solution that so closely addresses 
the unique needs of midsized companies, 
System Center Essentials provides tre¬ 
mendous value to a historically under¬ 
served market. 

—Dianne Russell 

Best Mobility Product 

Zenprise for BlackBerry 

S upporting a burgeoning number of 
mobile-device users is taking up 
ever larger chunks of IT administrators’ 
time. Zenprise for BlackBerry provides a 
comprehensive monitoring scheme that 
reduces the complexity of managing a 
BlackBerry Enterprise Server (BES) envi¬ 
ronment. The product greatly simplifies 
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BES monitoring, troubleshooting, and 
problem resolution. Zenprise for Black- 
Berry is also unique in that it monitors 
the multiple variables—such as mobile 
device, carrier, and the Exchange envi¬ 
ronment—that can affect BlackBerry 
availability and draws on an extensive 
technical knowledge base to explain how 
to resolve problems. Especially impressive 
is the breadth and depth of status infor¬ 
mation visible on screen and how easy it 
is to drill down to get detailed information 
about users, problem causes, and resolu¬ 
tion instructions. 

—Anne Grubb 

Best Office System Product 

KnowledgeLake 
Capture 2007 

K nowledgeLake Capture 2007, a batch 
scanning and indexing solution for 
Microsoft SharePoint, supports virtually 
all scanners on the market and lets you 
scan and index files and then store them in 
SharePoint 2007 and 2003 in TIFF, PDF, 
and XPS file formats. You can scan one 
document at a time or scan documents in 
batches. If you’re scanning images, Knowl¬ 
edgeLake Capture 2007 will use Optical 
Character Recognition (OCR) technology 
to extract document metadata. The soft¬ 
ware has a number of scanning and index¬ 
ing features, including automated forms 
processing and the ability to read barcodes 
for document separation. 

—Blake Eno 

Best Security Product 

GFI LANguard Network 
Security Scanner 

G FI’s LANguard Network Security 
Scanner provides an integrated tool 
that performs both network security 
vulnerability assessment and patch man¬ 
agement. The latest release of LANguard 
Network Security Scanner incorporates 
a comprehensive security vulnerability 
checking capability based on OVAL (Open 
Vulnerability Assessment Language) and 
the SANS Top-20 Internet Security Attack 
Targets to provide more than 15,000 vul¬ 
nerability checks. In addition, LANguard 
Network Security Scanner can scan for 
open ports as well as blacklisted applica¬ 
tions and USB devices. Patch management 
capability supports 38 languages and can 
deploy as well as roll back patches. A built- 


Architecture 

Winner 

Appistry Enterprise 
Application Fabric 
http://www.aDPistrv.com/ 

products/index.html 

Finalists 

Neudesic Neuron ESB 
http://www.neudesic.com/ 

main.aspx?ss=7&pe=75 

F5 Networks Application 
Ready Network 
http://www.f5.com 

Business 

Applications 

Winner 

Nintex SmartLibrary 
http://www.nintex.com/nprod- 

ucts/smartlibrary.aspx 

Finalists 

Biscom Delivery Server 

http://www.biscom.com/ 

secure-file-deliverv/deliverv- 

server.htm 

K2.net K2 “BlackPearl” 
http://www.k2.net 

Connected Systems 

Winner 

Neudesic Legacy Mod¬ 
ernization with BizTalk 
Server 2006 and Host 
Integration Server 2006 
http://www.neudesic.com 


Management 

Winner 

Opalis Integration Server 
http://www.opalis.com/ 

products_opalis_ 
integration server.asp 

Finalist 

Argent Extended 

Technologies 

http://www.argent.com 


Microsoft 

Management Product 

Winner 

Microsoft System Center 
Essentials 2007 

http://www.micrQSQft.CQm/ 

systemcenter/sce/default 

.mspx 


Mobility 

Winner 

Zenprise for BlackBerry 
http://www.zenprise.com/ 

products/blackberry.aspx 


Finalists 

Authenex A-Key 4000 
Token 

http://www.authenex.com/ 

authenex-products/akev- 

token-4000.html 

Idokorro Mobile Admin 

http://www.idokorro.com/ 

products/ma-features.shtml 


Office System 
Winner 

KnowledgeLake Capture 
2007 

http://www.knowledgelake 

.com/capture/capture_2U07 

.asp 

Finalists 

Messageware ActiveSend 
Personal 

http://www.messageware 

.com/activesend/landing.htm 

Skelta SharePoint 
Accelerator 2007 
http://www.skelta.com/ 

products/sps/sharepoint- 

workflow.aspx?menu=products 


Security 

Winner 

GFI LANguard Network 
Security Scanner 
http://www.gfi.com/lannetscan 

Finalist 

BeyondTrust Privilege 
Manager 

http://www.beyondtrust.com 


Microsoft Security 

Product 

Winner 

Microsoft Internet Security 
and Acceleration Server 
2006 

http://www.microsoft.com/ 

isaserver/default.mspx 

Finalist 

Microsoft Forefront Client 
Security 

http://www.microsoft.com/ 

forefront/clientsecuritv/ 

default.mspx 

SharePoint 

Winner 

Quest Software Site Ad¬ 
ministrator for SharePoint 
http://www.auest.com/site- 

administrator-for-sharepoint 

Finalists 

Colligo Networks 
Contributor for SharePoint 


http://www.colligo.com/ 

products/sharepoint/ 

contributor_home.asp 

CorasWorks Workplace 
Suite 

http://www.corasworks.com/ 

products/workplacesuite 

Unified 

Communication 

Winner 

Gold Systems 
Password Reset 
http://www.goldsYS.com/index 

.php?load=content&page_ 

id=57 

Finalists 

FaxBack NET SatisFAX- 
tion Enterprise Edition 
http://www.faxback.com/ 

products/enterprise/index 

.aspx 

Quest Software Recovery 

Manager 

for Exchange 

http://www.auest.com/recoverv- 

manager-for-exchange 

Windows Clients 

Winner 

Microsoft Windows 

PowerShell 

http://www.microsoft.com 

Microsoft Desktop Optimi¬ 
zation Pack 

http://www.microsoft.com 

Microsoft Diagnostics and 
Recovery Toolset 
http://www.microsoft.com 

Windows Server 

Infrastructure 

Winner 

InovaWave DXtreme for 
Windows 

http://www.inovawave.com/ 

products/overview.aspx 

Finalists 

Double-Take Software 

ShadowCaster 

http://www.doubletake.com 

VMware Virtual Desktop 

Infrastructure 

http://www.vmware.com/ 

products/vdi 


Notable Product 

Idokorro Mobile Admin 
http://www.idokorro.com/ 

products/ma-features.shtml 
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Yaut potential Our passion,' 

Microsoft 





beating back pirates. 
* ^ easy. 


ike a Pirate 
to defeat a Pirate is to 
think Irke one. After a Few days of grog- 
^witling and rigging-^Winging, you’ll 
be ready to take them cm. as an equal. 
If nothing else, you'll have had a fun 
couple of days. 


2 * Walking the plank 

Pirates are big on getting their victims to walk the proverbial plank 
Use this against them. Pose as a plank salesman; pilch a 
plank Ask them to 'test The pJank' and, Once they re 
reveal fhe truth The humiliation might just get them 


3 * Pay them off. 

Pirates are assessed with booty, 
or treasure, a supply of gold 
chocolate corns placed In a bag 
or chest will dazzle them. They'll 
want to bury it somewhere, secretly, 
and will lose whatever interest they 
had in you In the first place 



beating back spyware. 

easier. 


1. Implement Microsoft Forefront, 
forefront makes defending your systems easier. H'$ a 
simp^e-to-use, integrated family of client, server, and 
edge security products (such as Forefront Cltent Secuntyi 
that helps you stay ahead ot your security threats more 
easily than ever. For case studies, free trials, do^nos, and 
a I the latest moves vitil easyea&iei.com 


Microsoft* 

Forefront 





4 . Use your skills of Beard-Fu. 

Beand-Fu is. the anciem art oF Facial hair 
combat Grab and pull the Crate's beand, 
yank a sideburn—if done property. it’s 
the deadliest of al martial arts. Finding 
a Beard Fu teacher can be 
hard nowadays, but there % 
probably a Web site 


5. Beat them, then join them. 

Life as a high-seas scalawag might * 
not oe so bad You'll escape your cube, 
see the world, pillage and plunder, and 
have a grand old time Learn to dance 
a jig, wear a parrot on your shoulder 
and you're off. 



f -\ 


Mobile email 

for Windows Mobile, Palm, Symbian and BlackBerry 
powered by Kerio MailServer 

Get your email, contacts, calendars and tasks synchronized with your favorite smartphone. 
Explore Kerio MailServer, a groupware suite for the office and the road. 

Download a 30-day trial version | www.kerio.com | 1.408.496.4500 | ^ KERIO 

© 2007 Kerio Technologies, Inc. All rights reserved. All other trademarks are property of their respective owners. 




Windows IT Pro 
Congratulates 


WlndowsITPro 

EDITOR’S 

BEST 


ecntvdldgies 

Kerio MailServer 6 

Awarded Editor's Best 
in the Messaging Category 

www.kerio.com 
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in network and software auditing feature 
provides reports showing open ports, 
installed software, password strength, and 
connected USB devices. 

—Michael Otey 

Best Microsoft Security 
Product 

Internet Security and 
Acceleration Server 

M icrosoft’s ISA Server provides 
organizations with edge security 
and gives users fast and secure access 
to Internet resources. ISA Server is an 
enterprise-level firewall with support 
for application-level filtering and content 
caching. It also provides comprehensive 
alerting and monitoring capabilities. 

The new ISA Server 2007 release 
provides the integrated ability to pub¬ 
lish load-balancing servers as well as 
Exchange 2007 and SharePoint resources. 
There is also a new Branch Office VPN 
Connectivity Wizard, flood resiliency, sup¬ 
port for LDAP authentication, and a new 
single-sign-on capability that allows users 
to access a group of published Web sites 
without the need to authenticate to each 
Web site. 

—Michael Otey 

Best SharePoint Product 

Quest Site Administrator 
for SharePoint 

T hird-party vendors have the opportu¬ 
nity to fill gaps in SharePoint function¬ 
ality and add value for developers, systems 
administrators, and end users. Quest Soft¬ 
ware’s Site Administrator for SharePoint 
gives systems administrators a single point 
from which they can monitor and manage 
all the SharePoint sites on their network. 
The product’s auto-discovery feature helps 
IT professionals address rampant site pro¬ 
liferation on their company networks and 
provides visibility into the scope of Share- 
Point instances. Comprehensive reporting 
eases monitoring of critical information 
such as storage metrics, traffic usage, 
permissions, and site/server health. Site 
Administrator also builds on SharePoint’s 
capabilities around policies and allows IT 
pros to deploy and enforce policies across 
the network. 

—Amy Eisenberg 


Best Unified 
Communication Product 

Gold Systems Password 
Reset 


“C; 


> an you reset my password?” is 
'a refrain familiar to IT Help desk 
employees. Password-reset requests 
account for 30 percent of Help desk calls, 
according to Gartner—with a minimum 
cost of around $10 per call. Gold Systems 
Password Reset removes the IT adminis¬ 
trative costs associated with such calls. It’s 
a speech-recognition solution, based on 
Microsoft Speech Server, which lets users 
reset their own passwords by phone. The 
product emphasizes security, including 
two-factor authentication and an optional 
biometric voice-verification module. It also 
uses a threat model, which Gold Systems 


developed with help from a security con¬ 
sultant, to identify and eliminate known 
password security vulnerabilities. 

—Anne Grubb 

Best Windows Client 
Product 

Microsoft Windows 
PowerShell 

M icrosoft says that Windows Power- 
Shell has been downloaded almost 
a million times since its November 2006 
release. PowerShell is a command-line 
shell and scripting language now sup¬ 
ported by a number of products, including 
Exchange Server 2007, System Center 
Operations Manager, and System Center 
Virtual Machine Manager. The goal of 
PowerShell is to automate Windows sys- 



THE TECH-ED 

ATTENDEE’S PICK 

AWARDS 


Architecture 

F5 Networks 
Application Ready 
Network 

http://www.f5.com 

Business 

Intelligence 

SoftArtisans 
Office Writer 

http://www.softartisans.com 

Business 

Applications 

Acronis 

Acronis True Image 9.1 
Workstation 

http://www.acronis.com 

Connected Systems 

Symantec 

Symantec Mail Security 
8300 Series Appliances 

http://www.symantec.com 

Database Development 
and Administration 

Quest Software 
Quest Performance 
Analysis for SQL Server 

http://www.quest.com 


Developer Tools and 
Technologies 

Pegasus Imaging 

Corporation 

ImagXpress 

http://www.pegasusimaging 

Management and 
Operations 

Symantec 
Symantec Ghost 
Solution Suite 

http://www.symantec.com 

Mobility 

Idokorro Mobile 
Idokorro Mobile 
Citrix Client 

http://www.idokorro.com 

Office System 

Skelta Software 
Skelta SharePoint 
Workflow Accelerator 
2007 

http://www.skelta.com 

Security 

BeyondTrust Corporation 
BeyondTrust Privilege 
Manager 

http://www.beyondtrust 

.com 


SharePoint 

Syntergy 

Replicator for SharePoint 

http://www.syntergy.com 

Unified 

Communications 

Microsoft 
Microsoft Office 
Communication Server 

http://www.microsoft.com 

Web Development 
and Infrastructure 

Developer Express 
DXperience ASP.NET 

http://www.devexpress.com 

Windows Clients 

Microsoft 

Microsoft Windows 
PowerShell 

http://www.microsoft.com 

Windows Server 
Infrastructure 

Network Appliance 
SnapManager for 
Microsoft Exchange 

http://www.netapp.com 
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terns administration tasks. PowerShell is 
full of features and functionality, including 
built-in cmdlets for managing Windows 
and the ability to perform storage cal¬ 
culations on the command line. Another 
noteworthy feature is the Whatif function, 
which lets you test your commands before 
actually executing them. 

—Blake Eno 

Best Windows Server 
Infrastructure Product 

InovaWave DXtreme for 
Windows 

O rganizations of all sizes are using vir¬ 
tualization, but they often don’t get the 
return they expected because they find they 
can’t run as many virtual machines (VMs) 
on a server as they thought they could. 
InovaWave’s DXtreme for Windows at least 
doubles the number of VMs you can run on 
a server, yet it takes up only about 50MB 
of storage, is easy to install, and works 
with VMware software as well as Microsoft 
Virtual Server. When Branndon Stewart, 
senior director of marketing, showed me the 
performance improvements that have been 
documented for DXtreme in independent 
tests, I couldn’t at first believe him—in sev¬ 
eral tests, DXtreme improved performance 
by a factor of five or more. “We’ve actually 
had instances where the virtual machines 
outperform the physical hardware,” 
Branndon said. 

—Barb Gibbens 


Notable Product 

Idokorro Mobile Admin 

S ome products are notable simply 
because they make good sense. Ido¬ 
korro Mobile Admin is such a product. 
Acknowledging the reality that IT adminis¬ 
trators are often on call, the product turns 
a handheld device into a remote-admin¬ 
istration console that makes it easier to 
respond to IT problems when you’re away 
from the office. Idokorro Mobile Admin 
provides a simple, surprisingly easy-to-read 
icon-based interface that lets you perform 
server administration tasks securely (using 
RSA SecurelD authentication) from a vari¬ 
ety of mobile devices. Although the prod¬ 
uct’s concept is simple, we think it’s worthy 
of recognition because of its potential to 
significantly affect how IT pros work. ^ 
—Anne Grubb 
InstantDoc ID 96439 



THE BEST OF 

MMS 


Best Management Product 
by a Microsoft Partner 

NetlQ 

AppManager 

http://www.netiq.com 

With a history of managing 
Windows environments 
that dates back to 1996, 
AppManager extends 
enterprise management 
capabilities into hetero¬ 
geneous environments. 
Guided by customer feed¬ 
back provided through 
customer advisory boards 
and user groups. NetlQ 
AppManager addresses 
task automation and 
performance monitoring 
across not only Windows, 
UNIX, and Linux environ¬ 
ments but also VMware 
ESX Server, BlackBerry 
Enterprise Server, Oracle 
Grid Computing, and Cisco 
or Nortel VoIP solutions. 

1st Runner-up 

Special 
Operations 
Software 
SpecOps Deploy 

http://www.specopssoft.com/ 

products/specopsdeploy/ 

A direct and uncompli¬ 
cated solution for an often 
complex task, SpecOps 
Deploy builds on exist¬ 
ing AD infrastructure and 
Group Policy to allow 
software deployment 
without requiring new skill 
sets and additional infra¬ 
structure. This impressive 
approach to software 
deployment provides 


such features as real-time 
feedback on progress of 
deployments; support for 
Windows installer pack¬ 
ages, legacy installs (e.g., 
setup.exe), and Microsoft 
patches; scheduling; and 
the ability to publish appli¬ 
cations to either a user or 
a computer. 

2nd Runner-up 

Emulex VMPilot 

http://www.emulex.com/ 

products/hba/vmpilot/ds.jsp 

Streamlining the deploy¬ 
ment of data center 
virtualization, VMPilot 
optimizes SAN-attached 
storage for Microsoft Vir¬ 
tual Server by using virtual 
HBA ports that work like 
physical HBAs to create 
virtual machines (VMs) 
with SAN connectivity. 
VMPilot migrates VMs 
to and between physical 
servers while maintain¬ 
ing SAN attachment. The 
virtualized HBAs can be 
zoned in the fabric to iso¬ 
late each VM and its stor¬ 
age and can be migrated 
without reconfiguring stor¬ 
age or copying files. 

Most Innovative Product 

KACE Networks 
KB OX 1000 
Series Systems 
Management 
Appliance 

http://www.kace.com/ 

products/kboxIOOO.php 

Offering a comprehensive 
and affordable solution to 


the complexities of sys¬ 
tems management, KACE’s 
KBOX 1000 Series appli¬ 
ances provide end-to-end 
IT automation through 
an integrated bundle of 
operating environment 
and application software 
within a server appliance. 
The KBOX 1000 Series 
delivers hardware and 
software inventory, soft¬ 
ware distribution, patch 
management, remote con¬ 
trol, and custom reporting 
capability in a secure, 
pretuned, and self-healing 
solution. 

Special Achievement 
Award 

Microsoft 
System Center 
Operations 
Manager 2007 

http://www.microsoft.com/ 

systemcenter/opsmgr/default 

.mspx 

System Center Operations 
Manager 2007 represents 
a fundamental shift in 
Microsoft’s management 
products to a model-based 
approach. Key features 
include end-to-end service 
management, client moni¬ 
toring, collective health 
monitoring, Audit Collec¬ 
tion Services, and secure 
role-based administration. 
Ops Manager is differ¬ 
entiated by breadth of 
capability combined with 
Microsoft’s unique under¬ 
standing of the Windows 
environment. ^ 
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LEVERAGE LVR.n 

TO SIMPLIFY AD 

Upgrading to Windows Server 2003 
requires this additional step 



PROBLEM: 

Upgrading from Windows 
2000 to Windows 
Server 2003 doesn’t 
automatically enable the 
Linked Value Replication 
(LVR) feature. 


SOLUTION: 

To enable and fully 
leverage LVR, you must 
perform several additional 
steps. 


WHAT YOU NEED: 

Windows 2003 


DIFFICULTY: 

••••O 


BY GUIDO GRILLENMEIER 


I n an ideal IT world, no user or administrator 
would make mistakes. More specifically, they'd 
never delete any data they still needed. But acci¬ 
dents do happen—typically, much more often than 
we'd like. Restoring accidentally deleted data on a 
network computer is a trivial task if you have a valid 
backup that contains the data. Recovery is fairly simple 
for data such as a file or folder deleted from one of your 
file servers. However, data stored in Active Directory 
(AD) is typically replicated across multiple domain 
controllers (DCs) and is more difficult to recover. 

Windows Server 2003's Previous Versions feature 
simplifies file and folder data recovery by leveraging 
the new Volume Shadow Copy Service (VSS), which 
lets you create snapshots of your shared file-system 
data at periodic intervals. Using this feature to recover 
an accidentally deleted file is as simple as right-click¬ 
ing a folder to show its properties, selecting the Pre¬ 
vious Versions tab, and viewing the folder's contents 
prior to the incident. Although Microsoft hasn't quite 
replicated this functionality for AD, Windows 2003 
has various powerful new AD features, one of which 
is particularly helpful in recovering AD objects during 
an authoritative restore: Linked Value Replication 
(LVR). (Note: Microsoft has implemented additional 
features for the upcoming Windows Server version, 
Windows Server 2008, which will give AD administra¬ 
tors a similar experience for AD objects as the Previ¬ 
ous Versions feature for files. You'll be able to open 
snapshots of the AD database as a separate offline 
instance, then use those instances to read data from 
previous versions of the objects.) 

We’re in IT with You 


In this article, I describe the challenges AD 
administrators face when they need to recover acci¬ 
dentally deleted objects in their AD domains and how 
correctly leveraging the Windows 2003 LVR feature 
can help. This feature is especially important for com¬ 
panies that previously deployed their AD forest on 
Windows 2000, then upgraded to Windows 2003. In 
this case, administrators need to perform some extra 
work before they can take advantage of LVR's special 
benefits during object recovery. 

What Is LVR? 

Before you can understand the benefits of LVR for 
recovery of AD objects, you must first understand how 
AD stores and replicates data, because this informa¬ 
tion is crucial to understanding the recovery process. 
As its name implies, LVR is a feature that improves 
the replication of linked values between objects in 
AD. Objects in AD are linked in many ways—the most 
well-known example is the linkage maintained to 
store the relationship between user and group objects. 
As Figure 1 shows, each group object has an attribute 
called member that references the distinguished 
names (DNs) of the group's members (such as users, 
computers, or other groups), and each user object has 
an attribute called memberOfthat references the DNs 
of groups the user is a member of. In my example, 
John in the OU-Users organizational unit (OU) is a 
member of MyGroup in the OU-Groups OU. 

Although you can view the DNs contained in a 
group's member attribute when using LDAP tools 

www.windowsitpro.com 
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OBJECT RECOVERY 


such as adsieditmsc or ldp.exe, the DNs 
aren't actually used to store the links 
in AD. If they were, you'd have prob¬ 
lems when renaming or moving objects, 
because these activities also change an 
object's DN. In reality, the AD database 
consists of a data table and a link table. 

All objects of all naming contexts hosted 
by a specific DC are stored in the data 
table, along with their DNs and a unique 
identifier called distinguished name tag 
(DNT), a 32-bit unsigned integer that 
doesn't support reusability. 

To store links (references) between 
objects, the link table uses only the 
DNTs of the objects, which are then resolved to the 
correct DN of the object, when reading the respective 
linked attribute via LDAP. This method essentially 
maintains referential integrity of the objects and their 
respective links. To reference parent-child relation¬ 
ships such as required for the OU hierarchy, AD uses a 
column called parent distinguished name tag (PDNT) 
in the data table. As you'd expect, the PDNT contains 
the DNT of the object's parent. Figure 2 is a simplified 
example of the AD database tables, showing that the 
user John is a member of the MyGroup group. If you 
look closely, you'll notice that Mary is also a member 
of this group and that she is John's manager. 

An important difference exists between the two 
links that make up a link pair: Only the forward link 
(in my example, the member attribute of a group) 
can be edited by administrators, and only this link is 
replicated to other DCs in the domain or forest. The 
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Figure 2: Simplified AD database tables (Win2K) 


back link (memberOf in my example) is owned and 
maintained by each DC individually and isn't repli¬ 
cated. I'll come back to this crucial piece of informa¬ 
tion when I discuss the recovery process. 

The Microsoft Management Console (MMC) 
Active Directory Users and Computers snap-in is 
somewhat misleading, because it lets you open the 
properties of a user object, then add a group to the 
user via the Member Of tab. In reality, the actions you 
perform in this UI actually update the linked-value 
pair's forward link (i.e., the member attribute of the 
respective group), and the DC creates the back link 
from the group to the user's memberOf attribute, as 
this UI shows. This also explains why an administra¬ 
tor doesn't need special permission to manage a user 
to add him or her to a group in AD—instead, write 
permissions to the group's member attribute are 
required. 

In the context 
of AD recovery, 
the links between 
users and groups 
are most impor¬ 
tant to us because 
of their function 
of granting or 
revoking access 




m s 


SOLUTION STEPS: 

1. Upgrade from Windows 
2000 to Windows Server 
2003. 

2. Convert domains in 
your Active Directory (AD) 
forest from Win2K to 
Windows 2003 functional 
level. 

3. Update legacy links in 
your AD forest. 
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to resources in an infrastructure. (For more 
information about other linked values, see the 
Web-exclusive sidebar “Determining Linked- 
Value Pairs in the Active Directory Schema," 
http://www.windowsitpro.com, InstantDoc ID 
96311. ) Another important thing to understand 
is that AD differentiates between single- and 
multi-valued attributes. It's no surprise that both 
the group's member attribute and the user's 
memberOf attribute are multi-valued—which 
ensures that a user can be a member of many 
groups and a group can have multiple users (and 
other objects) as group members. 

The Smallest Unit of 
Replication 

In a Win2K AD domain, the smallest unit of 
replication is an attribute. When Win2K was 
released, this fact was a great advancement 
from Windows NT 4.0, in which the small¬ 
est unit of replication is an object. However, 
Win2K DCs treat all attributes equally—regard¬ 
less of whether an attribute contains only a few 
bytes or many thousand bytes. This replication 
mechanism is particularly challenging for 
multi-valued attributes such as a group object's 
member attribute, essentially causing the fol¬ 
lowing two problems. 

1. Excessive Replication Data and Lim¬ 
ited Number of Group Members—If a group 
has 999 members and an administrator adds 
another member to the group, a Win2K DC 
will replicate the complete member attribute 
to its replication partners (i.e., the list of all 
1,000 members). But because an update to 
the AD database must be written in a single 
transaction that's limited to the size of a multi¬ 
valued attribute with approximately 5,000 val¬ 
ues, Win2K's AD doesn't support groups with 
more than 5,000 members. To work around 
this problem, companies with more than 
5,000 users have implemented group-nesting 
mechanisms to keep the number of members 
below the supported maximum. 

2. Loss of Changes—The Win2K replication 
mechanism leads to potential loss of group 
changes when two administrators add a differ¬ 
ent user to the same group on different DCs in 
the AD domain. If this happens at roughly the 
same time (i.e., before either change can rep¬ 
licate successfully to the other DC), one of the 
changes is lost. Ensuring that all administrators 
perform group changes on the same DC helps 
as a workaround to this problem. 


The Windows 2003 LVR feature is one of the 
key changes in the way that AD replicates spe¬ 
cific data. This feature is available only when 
your AD forest operates in either of the follow¬ 
ing forest functional levels: 

• Windows 2003 interims—Lor NT 4.0 
upgrade scenario; allows existence of NT 4.0 
DCs in forest, but no Win2K DCs 

• Windows 2003—All DCs in forest must be 
running Windows 2003; neither NT 4.0 nor 
Win2K DCs are allowed 

When you perform an in-place upgrade of 
your Win2K AD forest, your forest functional 
level doesn't change automatically—the for¬ 
est will run in Win2K functional mode, which 
doesn't support LVR. Even when you imple¬ 
ment a brand-new AD forest using a Windows 
2003 DC, the default forest functional level 
is set to Win2K. To raise the forest level to 
Windows 2003, you must first switch all the 
domains in the forest to the Windows 2003 
domain functional level. 

You can use the MMC Active Directory 
Domains and Trusts snap-in to check your 
domain and forest functional levels. To raise 
the forest functional level, right-click the top 
node called Active Directory Domain and 
Trusts, and select Raise Lorest Lunctional Level 
from the context menu, as Ligure 3 shows. 

After your AD forest is successfully switched 
to the Windows 2003 forest functional level 
(which is an irreversible process and should 
thus be planned accordingly), the LVR mecha¬ 
nism is activated. Lor confirmation of this 
switch, see event ID 1695 in the NTDS event 
log of each DC in your forest. 

LVR changes the smallest unit of replication: 
Each value in multi-valued attributes that are 
linked to other attributes will now replicate 


separately as the value is added to or deleted 
from the attribute. So if for example a user is 
added to a group that already contains 999 
members on one DC, only the addition of that 
one user is replicated to the DC's replication 
partners in the domain. Similarly, the removal 
of a user from a group only replicates this 
status change of the link between the user 
and the group, instead of replicating all group 
members. LVR thus solves the two issues I 
previously described for the Win2K replication 
mechanism for multi-valued attributes: 

• Unlimited Number of Group Members— 
Besides lowering the utilization of the 
network when replicating group changes, 
LVR has the great benefit that it effectively 
removes the upper limit for the number 
of members in a group. LVR is fully sup¬ 
ported to have groups in a Windows 2003 
AD with millions of members! However, 
the update to the AD database must still 
be written in a single transaction, which 
means that you shouldn't add or remove 
more than 5,000 members to a group in one 
operation. If your AD has automated group 
management, you should ensure that your 
provisioning or group management systems 
understand this limitation. 

• Ensuring Integrity of Changes—Because the 
changes in group memberships and other 
linked values are replicated separately, 
changes to the same group performed at the 
same time on different DCs won't get lost. 

Changes in the AD 
Database Tables 

To enable LVR, the link table on DCs running 
Windows 2003 requires some updates. Similar 
to objects in the data table, linked values now 
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1 12 entries. 




Loc.USN 

Originating DC 

Org.USN 

Org.Time/Date 


24788 

CoreSite\DC1 

24788 

2006-12-15 20:50:15 


24788 

CoreSite\DC1 

24788 

2006-12-15 20:50:15 


32782 

CoreSite\DC1 

32782 

2006-12-18 23:46:19 


24788 

CoreSite\DC1 

24788 

2006-12-15 20:50:15 


24788 

CoreSite\DC1 

24788 

2006-12-15 20:50:15 


24788 

CoreSite\DC1 

24788 

2006-12-15 20:50:15 


28733 

CoreSite\DC1 

28733 

2006-12-18 20:58:00 


24788 

CoreSite\DC1 

24788 

2006-12-15 20:50:15 


24788 

CoreSite\DC1 

24788 

2006-12-15 20:50:15 


24788 

CoreSite\DC1 

24788 

2006-12-15 20:50:15 


24788 

CoreSite\DC1 

24788 

2006-12-15 20:50:15 


24788 

CoreSite\DC1 

24788 

2006-12-15 20:50:15 


1 3 entries. 




Type 

Attribute 

Last Mod Time Originating DC 

Distinguished Name 

LEGACY 

member 



CN=John,0U=0U-Users,DC=RootR2,DC=net 

LEGACY 

member 



CN=Ma ry,0U=0U-Users,DC = RootR2,DC=net 

PRESENT 

member 

2006-12-19 

02:33:06 CoreSiteXDCI 

CN=Peter,0U=0U-Users,DC=RootR2,DC=net 

Figure 4 

LVR link status of groups 




require extra metadata, 
including an update 
sequence number (USN) 
to control replication. 

The USN is updated to 
the next available value 
for any changes made to 
an object's attribute or a 
linked value in the AD 
database, which allows 
a replication partner to 
request replication of 
only those changes that 
it doesn't yet know of. 

But more importantly, 
the new metadata in the 
link table also defines the status of a link, which 
can be one of three LVR link types: 

1. Legacy—Link that's still stored in the old 
format with all values stored and replicated in 
a single blob; only contains "active" links. 

2. Present—Link that's stored in the new 
LVR format and "active" (e.g., a normal mem¬ 
ber of a group). 


3. Absent—Link that's stored in the new 
LVR format and "deleted" (e.g., a user whose 
membership was removed from a group). 

You can use the Windows Server 2003 
Support Tools command-line tool Repadmin 
to view the status of the links in your groups. 
To retrieve the status information for a group 


called MyGroup on a DC called DC1, use the 
following command: 

C:\repadmin /showobjmeta DC1 CN=MyGroup, 
0U=0U-Groups,DC=RootR2,DC=net 

Figure 4 shows the output from this command. 
As you can see, John and Mary were members 
of the group before LVR was enabled in the 
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forest, and Peter was added to the same group 
later on. An important thing to understand 
is that even when you enable LVR in your 
forest, the links that existed in AD before you 
switched to the Windows 2003 forest functional 
level won't automatically update to LVR links. 
Instead, they'll remain in the AD database as 
"legacy" links, which usually isn't a problem 
because new links will still be stored as LVR 
links and thus the replication benefits are 
immediate. However, LVR links have another 
benefit that requires the links to be stored in 
"true" LVR format. 

Benefits of LVR for AD 
Object Recovery 

There's more to LVR than meets the eye—it 
not only improves normal replication of linked 
values, but it also improves recoverability of the 
links, in case you want to recover accidentally 
deleted objects in your AD domains. Recall 
what I said about the back links and forward 
links at the beginning of the article: Only the 
forward links are replicated between DCs in 
an AD domain. So, if you forced replication 
of a user object with all of its attributes, eve¬ 
rything would replicate except for the back 
links referenced from the object. However, you 
couldn't replicate the user's group member¬ 
ships, because the memberships are stored in 
the user's back-linked memberOf attribute. 

When you use the native OS methods to 
restore an object, you basically force replica¬ 
tion to occur. For example, after you boot 
into the Directory Services Restore Mode 
(DSRM), you'd restore the AD database via 
the system state backup from tape or disk on 
one of your DCs. Then—before reboot—you'd 
run the Nt-dsutil command to perform an 
authoritative restore. An authoritative restore 
can be done for a whole subtree or for a single 
object and effectively increases the version 
number of all attributes of the object(s) to be 
recovered by 100,000 (per day of age of the 
backup). For more details on this process, see 
the Microsoft article "How to restore deleted 
user accounts and their group memberships 
in Active Directory" (http://support.microsoft. 
com/kb/840001 ). 

In a Win2K AD forest, an authoritatively 
restored user wouldn't replicate its group 
memberships to other DCs in the domain. 
You'd need to manually repopulate the user's 
group memberships or leverage a tool such 


as Groupadd. Windows 2003 SP1 makes the 
recovery process of group memberships and 
other linked values a bit easier because it cre¬ 
ates LDAP Data Interchange Format (LDIF) 
files during the authoritative restore process, 
which then let you import the group member¬ 
ships after reboot. However, all these steps can 
take a considerable amount of time and are 
prone to human error. 

With your Windows 2003 forest running 
at Windows 2003 forest functional level, LVR 
has an additional important benefit for the 
links that are actually stored as LVR links in 
your domains. Because the links can now be 
replicated separately, the Ntdsutil authorita¬ 
tive restore process will follow the back links 
and increase the version ID for all LVR forward 
links it finds for the restored object(s). In the 
context of a recovered user, this means that 
all of the user's group memberships in its own 
domain will be fully recovered. Note that a DC 
can update only objects and links in its own 
domain. Therefore, if your AD forest consists of 
multiple domains and you also need to recover 
a user's group memberships in those domains, 
you must still leverage the LDIF files from Win¬ 
dows 2003 SPl's version of Ntdsutil during the 
authoritative restore operation. 

LVR links not only improve the recov¬ 
erability of group memberships—All other 
multi-valued linked attributes (e.g., manager/ 
directReports) behave the same way and will 
be recreated during restoration of an object 
that contains the relevant back links. Of course 
if an object has forward links, such as the 
group's member attribute, the forward links 
will still replicate during object restoration as 
they always have. 

Updating Your AD Groups 
to Contain LVR Links 

To take full advantage of the LVR benefits dur¬ 
ing recovery, you need to ensure that none of 
your groups or other linked attributes contain 
legacy links. In a single AD domain environ¬ 
ment, this approach simplifies the overall AD 
recovery processes. 

To update existing links in your AD forest, 
you must remove and readd the links to the 
linked attribute. For group memberships, you 
can easily accomplish this task by piping the 
output of the DSGET command as input to 
the DSMOD command. Using MyGroup as an 
example, you'd run the following DSGET group 


command with the -members option: 

C:\>dsget group CN=MyGroup,0U=0U- 
Groups,DC=RootR2,DC=net -members 

Web Figure 1 (http://www.windowsitpro.com, 
InstantDoc ID 96310) shows the output from 
this command. If you combine this command 
with the DSMOD group command and the 
-chmbr option (which is used to replace all 
memberships in a group), you can efficiently 
remove and add all of a group's members, as 
follows: 

C:\>dsget group CN=MyGroup,0U=0U- 
Groups,DC=RootR2,DC=net -members 
| dsmod group CN=MyGroup,0U=0U- 
Groups,DC=RootR2,DC=net -chmbr 

Web Figure 2 shows the output from this com¬ 
mand. To see the effect the action had, run 
repadmin /showobjmeta again, as follows: 

C:\>repadmin /showobjmeta DC1 

CN=MyGroup,0U=0U-Groups,DC=RootR2,DC=net 

As the output in Web Figure 3 shows, all the 
links are now of the type "present," meaning 
that they are full LVR links that will be lever¬ 
aged during object recovery. 

But be careful: Don't remove and readd all 
group members for all your groups at once in 
a large environment, because doing so could 
result in a replication storm. Plan to switch 
your groups to LVR links so as to stagger the 
activity over a reasonable period of time. 

Maximize the Benefits 

LVR adds various benefits to your AD forest, 
including reduced replication traffic when 
updating group memberships and an unlim¬ 
ited number of members in each group. But 
equally importantly, LVR also allows for auto¬ 
matic recovery of back-linked attributes when 
authoritatively restoring objects. Especially 
after upgrading a Win2K domain or forest, you 
must take special care to switch existing group 
links from legacy storage to the LVR format, to 
be able to leverage all the benefits of LVR. ^ 

InstantDoc ID 96310 
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PASSWORD 


Microsoft 
solutions 
for secure 
access 


by Jan De Clercq 


P asswords have become a necessary 
evil to many users and administrators. 
Although passwords are a cheap solu¬ 
tion for securing access to an IT infrastructure 
and its resources, poorly chosen or managed 
passwords can lead to insecure environments 
and the compromise of corporate data or 
resources. In addition, because different appli¬ 
cations and environments have specific pass¬ 
word requirements, most users end up with 
several passwords. Average users who must 
deal with different passwords often choose 
identical or easy-to-remember passwords. If a 
user's passwords aren't easy to remember, the 
user might record the passwords on a handy 
notepad. These practices make password com¬ 
promise more likely than ever. 

Several approaches exist for making 
passwords more secure and easier to man¬ 
age. Options include enforcement of strong 
password policies, employment of credential 
mapping solutions, and use of password syn¬ 
chronization. 

Strong password policies can ensure that 
passwords are changed at regular intervals and 
that they adhere to certain complexity rules— 


both of which lower the chances of successful 
password guessing or brute force cracking- 
based attacks on password hashes. Credential 
mapping solutions map a user's credentials 
that are needed to access different resources 
to a set of primary user credentials. Successful 
authentication using the primary credentials 
transparently unlocks the other user creden¬ 
tials and provides single sign-on (SSO) for that 
particular user to the other resources. 

The third approach—password synchro¬ 
nization—specifically targets the user and 


administrator problem of having to deal with 
different passwords. Password synchroniza¬ 
tion can significantly ease users' and admin¬ 
istrators' lives because it reduces the problem 
of multiple passwords to the management 
and maintenance of just one password. In this 
article I focus on Microsoft solutions for syn¬ 
chronizing passwords between Active Direc¬ 
tory (AD) and other repositories. To start with, 
I define password synchronization and discuss 
the challenges you might face when architect¬ 
ing a password synchronization solution. 
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Definition and Challenges 

A password synchronization solution ensures 
that a user's passwords that are stored in differ¬ 
ent repositories are kept synchronized. A single 
synchronized password is easier to remember 
than multiple passwords, and users are far less 
prone to having problems and calling the Help 
desk. Users also tend to write down their single 
synchronized passwords less often. 

Password synchronization solutions come 
in two flavors: one-way and bidirectional. 
Table 1 lists four Microsoft password synchro¬ 
nization solutions and their characteristics 
(including one-way or bidirectional). (For 
more information about these solutions, see 
the Learning Path.) One-way password syn¬ 
chronization solutions push password changes 
from a central "master” repository to a set of 
connected repositories—these solutions are 
also referred to as "password push" solutions. 
In bidirectional password synchronization 
solutions, password changes can occur in any 
of the connected repositories. Even though 
both solutions sound like simple copy opera¬ 
tions, they pose a few interesting challenges. 

One challenge arises from the fact that 
passwords are stored in a secure format. For 
example, in AD, passwords are always stored in 
a hashed format. Hash functions are one-way 
cryptographic ciphers: You can't derive the 
original password from a password hash. As 
a result, accessing a user's plaintext password 
under normal AD operations is impossible. 
Plaintext passwords are available only when the 
password is set (i.e., when the associated user 
account is created), reset by an administrator, 


or changed by the user. This also means that 
passwords can—unlike other user attributes— 
be synchronized only when a password set, 
reset, or change event occurs. Also, unless users 
communicate with the password synchroniza¬ 
tion solution only when they set or change their 
password, password synchronization solutions 
require special software logic that can intercept 
plaintext passwords when users set or change 
their password on an AD domain controller 
(DC) or a Novell NetWare directory server. 

Another challenge is password complexity 
rules. Different repositories typically have dif¬ 
ferent rules regarding password complexity. 
When you set up password synchronization 
between repositories, you must define the 
least common denominator set of password 
complexity rules for each of the connected 
repositories. If you don't align the password 
complexity rules, synchronization will fail. 
For security experts, this alignment of the 
password complexity rules is a valid reason 
to argue against the security of password 
synchronization solutions. Moreover, security 
experts typically aren't fond of password syn¬ 
chronization solutions because they think that 
synchronizing password credentials between 
the databases of different authentication 
authorities is dangerous. Their objections are 
based on the "key to the kingdom" argument: 
If you know a user's password, you can access 
other resources that are secured with the same 
password (as long as you know the correct user 
account on the target system). However, this 
problem shouldn't be overemphasized. Even 
with password synchronization, a significant 


barrier still exists for a malicious person to 
access information that's secured using a user 
ID/password-based authentication scheme. 
The user must know the single synchronized 
password and the correct user ID on the target 
system. Nevertheless, when you implement 
password synchronization you need to edu¬ 
cate your users about their single synchronized 
password's crucial role. In addition, you must 
constantly remind users of the dangers of 
social engineering and of sharing their pass¬ 
word with others. 

Finally, bidirectional password synchroni¬ 
zation solutions require a synchronization loop 
detection mechanism. Without loop detection, 
password synchronization would go on forever 
between the different repositories. This prob¬ 
lem doesn't occur with one-way password 
synchronization solutions. 

Using ILM or IIFP 

Microsoft Identity Lifecycle Manager (ILM, 
formerly known as Microsoft Identity Integra¬ 
tion Server—MIIS) is Microsoft's provisioning 
or identity lifecycle management software. 
Besides directory synchronization, account 
provisioning, and deprovisioning services, 
ILM can also provide password synchroni¬ 
zation and management services. ILM can 
provide these services between a wide range 
of connected repositories, including AD, 
Active Directory Application Mode (ADAM), 
Exchange 2000 Server or Exchange Server 
2003, and Windows NT 4.0, as well as Lotus 
Notes, Sun ONE Directory Server, and Novell 


Table 1: 

Characteristics of Microsoft Password Synchronization Solutions 

Synchronization Solution 

Type of Synchronization 

Cost 

Supported Repositories 

ILM and IIFP 

Bidirectional between 
Windows environments; 
one-way in mixed environ¬ 
ments 

ILM: ILM license 

IIFP: Free with Windows 

Server 2003 or Win2K 
license 

ILM only: Lotus Notes 5.0, Notes 4.6, Sun ONE Directory 
Server, eDirectory 8.7, eDirectory 8.6.2 

ILM and IIFP: Windows 2003 AD, ADAM, Win2K AD, NT 
4.0 SAM, Exchange 2003, Exchange 2000 

SFU and Windows 2003 R2 

Bidirectional 

SFU: Free with Windows 

2003 or Win2K license 

Windows 2003 R2: Windows 
2003 R2 license 

Windows 2003 R2, Windows 2003, XP, Win2K Server, 
Win2K Pro, NT Server 4.0, NT Workstation, HP-UX II, 

Red Hat Linux 7.0, Solaris 7, AIX 4.3.3 

HIS and ENTSSO 

Bidirectional (may require 
third-party agents) 

HIS license 

Win2K, NT 4.0, Windows Server 2003, AS/400, RACF, 
ACF2, Top Secret 

Services for NetWare 

One-way 

Free with Windows 2003 or 
Win2K license 

Windows 2003, Win2K, NDS, eDirectory, NetWare 3.x 
binderies 
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eDirectory. The latest ILM version is ILM 2007. 
For more information about ILM, go to the 
Microsoft Identity Lifecycle Manager 2007 Web 
site at http://www.microsoft.com/windows 
server/ilm2007/default.mspx, 

Microsoft's Identity Integration Feature 
Pack (IIFP) can provide identity directory 
synchronization, account provisioning and 
deprovisioning, and password synchronization 
services—but only between AD, ADAM, and 
Exchange 2000 or Exchange 2003 instances. 
You can download this free software package 
from http://www.microsoft.com/downloads/ 
details. aspx?familyid=d9143610-c04d-41c4- 

b7ea-6f56819769d5&displaylang=en. 

ILM and IIFP connectivity to other reposi¬ 
tories is based on the existence of a set of 
connectors or Management Agents (MAs)—as 
Microsoft refers to them—that are installed on 
the ILM or IIFP server. ILM and IIFP password 
synchronization doesn't require the installa¬ 
tion of special agents on the target systems. 
This means that users or administrators must 
always interact directly with ILM or IIFP when 
setting or changing passwords. Two notable 
exceptions to this rule that don't require any 
explicit interaction between a user and ILM 
for setting passwords are when the Password 
Change Notification Service (PCNS) is used 
and when ILM creates a new user account. In 
the first case users can directly interact with 
a Windows DC for setting or changing their 
passwords. (I explain PCNS in more detail 
later in the article.) In the latter case ILM ini¬ 
tializes a user's password to a predefined value 
when the associated user account is created 
as part of ILM's user account provisioning 
process. 

Password set and change operations are 
supported by the AD, ADAM, and NT 4.0 MAs. 
The Lotus Notes, Sun ONE Directory Server, 
and eDirectory MAs support only password set 
operations. ILM and IIFP can also be extended 
to provide password synchronization services 
to other repositories through the creation of 
custom password extensions. If you don't 
mind coding and getting your hands dirty, the 
Developer Reference that comes with ILM and 
IIFP describes in detail how to create these 
password extensions. 

As I explained previously, passwords can 
only be synchronized when they're available 
in plaintext (i.e., when a password set, reset, or 
change operation occurs). ILM and IIFP sup¬ 
port the following interfaces for intercepting 
password sets or changes and initiating a pass¬ 


word synchronization operation to a set of con¬ 
nected repositories: the Helpdesk Password 
Reset and the Self-Service Password Reset Web 
applications, and the Change Password option 
in the Windows Ctrl+Alt+Del dialog box. 

When using the Helpdesk Password 
Reset or the Self-Service Password Reset Web 
applications, users or administrators interact 
directly with the ILM or IIFP server through a 
Web interface. Both Web applications are free 
add-ons to ILM and IIFP that are included in 
the MIIS 2003 scenarios. You can download 
these scenarios, including the necessary code 
and deployment instructions, from http:// 
www.microsoft.com/downloads/details 
.aspx?familyid=15032653-d78e-4d9d-9e48- 
6cf0ae0c369c&displaylang=en . Microsoft's 
"User-Based, Self-Service Password Change 
Solution Guide for MIIS 2003" (http://www 
.microsoft.com/downloads/details.aspx? 

familyid=7e90b216-6cfd-4ccd-bdb9-2cc6be00 
4bc4&displaylang=en) describes the Self-Ser¬ 
vice Password Reset Web application. 

When using the Change Password option 
in the Ctrl+Alt+Del dialog box, users interact 
with ILM or IIFP indirectly through their 
authenticating Windows DC. This password 
change mechanism requires the installation 
of the PCNS on all DCs in the domain where 
user password changes must be intercepted. 
The PCNS logic is included in ILM and IIFP la. 
The PCNS can be installed on Windows 2000 
and Windows Server 2003 DCs. 

The PCNS is a Windows service that moni¬ 
tors AD password changes and notifies other 
servers (e.g., ILM servers) of these password 
changes. The PCNS consists of three pieces 
of software: a password filter DLL, the PCNS, 
and the PCNS configuration utility. The pass¬ 
word filter DLL obtains a dear-text copy of the 
changed password from a DC's Local Security 
Authority (LSA—lsass.exe). The PCNS receives 
the password-change notifications from the 
password filter, queues them, and sends them 
to the target systems. The PCNS configuration 
utility is used to set the PCNS configuration 
data. This information is stored in AD and 
includes the PCNS notification targets. 

ILM and IIFP can support only one-direc¬ 
tional or "password push"-based password 
synchronization in mixed environments (i.e., 
Windows and non-Windows). Neither ILM nor 
IIFP can replicate password sets or changes 
originating on the non-Windows side of the 
synchronization channel to the Windows 
side. 


Using SFU or 
Windows 2003 R2 

Microsoft's Services for UNIX (SFU) 3.5 is a 
software package that Microsoft provides to 
Win2K and Windows 2003 customers at no 
additional cost and that includes tools and 
services for integrating Windows and UNIX/ 
Linux platforms. SFU also includes a password 
synchronization service. Windows 2003 R2 
includes part of the SFU services, including 
the password synchronization service. For 
more information about SFU and its services, 
go to Microsoft's Windows Services for UNIX 
Web site (http://www.microsoft.com/technet/ 
interopmigration/unix/sfu/default.mspx) . 

The SFU 3.5 and Windows 2003 R2 pass¬ 
word synchronization service can synchro¬ 
nize passwords between Windows 2003 R2, 


Learning Path 


ILM and IIFP resources: 

“Does Your Network See Dead People?” InstantDoc 
I D 47780 

“ENTSSO Password Synchronization,” InstantDoc 
I D 44408 

“Extending MIIS 2003 Functionality,” InstantDoc 
I D 42410 

“Getting to Know ADAM,” InstantDoc I D 42450 

“Identity Lifecycle Manager 2007,” InstantDoc ID 
95762 

“Secure Directory Access with MIIS,” InstantDoc 
I D 42818 

SFU and Windows Server 2003 R2 
resources: 

“Microsoft Windows NT Services for UNIX,” Instant¬ 
Doc ID 7881 

“New Features in Windows Server 2003 R2,” 
InstantDoc ID 49750 

“R2 Moves Windows 2003 Forward,” InstantDoc ID 
48251 

“Services for UNIX 3.5,” InstantDoc I D 42920 

“Services for UNIX 3.5’s Flair for Interoperability,” 
InstantDoc ID 44996 

“What You Probably Don’t Know About Windows 
Server 2003 R2 (Part I),” InstantDoc I D 47588 

Host Integration Server 2006 resources: 

Host Integration Server Community, 

http://www.microsoft.com/technet/community/ 

en-us/hiserver/default.mspx 

Microsoft Host Integration Server Web site, 

http://www.microsoft.com/hiserver/default.mspx 

Services for NetWare resources: 

Microsoft Windows Services for NetWare 5.03 
Web site, http://www.microsoft.com/ 
windowsserver2003/sfn/default.mspx 
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_DAY 68: The business climate is constantly changing. Our 
IT environment is completely rigid. We can’t align IT to 
meet the larger business needs. I told Gil we need an SOA 
so we can be proactive for once. 

_Gil had an idea. He brought in contractors and made the 
entire office “modular” and “flexible.” Gil, I am not a hamster. 

_DAY 70: This should free us up: IBM SOA Solutions built 
with IBM WebSphere® the leading integration platform. 

Now we have the hardware, software and services for a 
flexible IT infrastructure. IBM has helped 3,600 companies 
implement an SOA. And getting started was easy. Our 
business is built for change. 

_I don’t have to crawl with my coffee anymore. It’s great. 


IBM.COM/TAKEBACKCONTROL/FLEXIBLE 
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Windows 2003, Windows XP, Win2K Server, 
Win2K Pro, NT Server 4.0, and NT Workstation 
platforms on the Windows side, and HP-UX 
11, Red Hat Linux 7.0, Solaris 7, and AIX 4.3.3 
platforms on the UNIX side. The service can 
synchronize passwords between domains and 
standalone machines on the Windows side, 
and between Network Information Service 
(NIS) databases and standalone machines on 
the UNIX/Linux-side. 

You can set SFU and Windows 2003 R2 
password synchronization to work in both 
directions (i.e., from Windows to UNIX or from 
UNIX to Windows) for all the UNIX platforms 
I mentioned, with the exception of AIX. The 
SFU and Windows 2003 R2 password syn¬ 
chronization service triggers a password syn¬ 
chronization action each time a user updates 
his or her password on a Windows machine 
(for Windows-to-UNIX synchronization) or 
on a UNIX/Linux host (for UNIX-to-Windows 
synchronization). 

To support this bidirectional password 
synchronization, SFU and Windows 2003 R2 
password synchronization require the deploy¬ 
ment of special password synchronization 
software. If passwords are to be synchronized 
between a Windows domain and UNIX/Linux 
environment, the SFU and Windows 2003 R2 
password synchronization service must be 
installed on all Windows DCs. This require¬ 
ment is necessary because password updates 
can occur on any server in a multi-master 
model. The password synchronization service 
must also be installed on a Windows stand¬ 
alone machine if passwords are to be syn¬ 
chronized between the standalone machine 
and UNIX/Linux. Windows-to-UNIX/Linux 
password synchronization requires the ssod 
daemon on the UNIX/Linux platform. UNIX/ 
Linux-to-Windows password synchronization 
requires the pam_sso module on the UNIX/ 
Linux side. 

Using HIS 

Host Integration Server 2006 (HIS 2006; 
http://www.microsoft.com/hiserver) is the 


most recent version of Microsoft's mainframe 
gateway server software. Earlier Microsoft HIS 
versions were referred to as SNA Server. HIS 
2006 helps enterprises integrate their mission- 
critical host-based applications, data sources, 
messaging, and security systems within a 
Microsoft .NET-oriented architecture, enabling 
the reuse of IBM mainframe and midrange 
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(IBM AS/400) data and applications across 
distributed environments. 

HIS comes with an optional component 
called Enterprise Single Sign-On (ENTSSO) 
that can provide single sign-on (SSO) ser¬ 
vices between Windows and mainframe or 
midrange system environments. ENTSSO is a 
good example of a server-side credential cach¬ 
ing-based SSO solution. In addition to server- 
side credential caching-based SSO, ENTSSO 
can also be used for bidirectional password 
synchronization between Windows and non- 
Windows environments. ENTSSO includes 
password synchronization interfaces and the 
PCNS. This is the same PCNS as for ILM and 
IIFP, which I explained previously. The PCNS 
can also send password change notifications to 
an HIS ENTSSO server. 

Finally, HIS includes an agent that can 
make ENTSSO password synchronization bidi¬ 
rectional when synchronizing with AS/400 
systems. For mainframes, a third-party soft¬ 
ware agent is required to achieve complete 
bidirectional synchronization with the security 
systems of IBM's Resource Access Control 
Facility (RACF) and ACF2, and CA's Top Secret. 
An example of a software vendor that provides 
an additional HIS ENTSSO password synchro¬ 
nization agent is Proginet (http://eps.proginet 


Using Services for NetWare 

Services for NetWare is a software package 
that Microsoft provides at no additional cost 
and that simplifies the integration of AD and 
Novell Directory Services (NDS), eDirectory, 
or bindery-based environments. Services for 
NetWare can also provide one-way password 
synchronization from AD to a bindery, NDS, 
or eDirectory. The latest version is Services 
for NetWare 5.03; for more information, go to 
the Microsoft Windows Services for NetWare 
5.03 Overview Web site (http://www.microsoft 
.com/windowsserver2003/techinfo/overview/ 
sfncd.mspx) . 

Services for NetWare lets you use one of the 
following methods for password synchroniza¬ 
tion: 

• After users are copied from a bindery, NDS, 
or eDirectory to AD, the users are prompted 
to change their passwords when first log¬ 
ging on to AD. The new AD passwords are 
then synchronized with the corresponding 
password attributes in a bindery, NDS, or 
eDirectory. This method is called initial 


reverse synchronization. 

• When user accounts are created in NDS or 
eDirectory, the new user objects are copied 
to AD. When the new users successfully log 
on to AD, they're prompted to change their 
passwords. The new passwords are then 
copied to NDS or eDirectory. 

• When users change their passwords or 
when an administrator resets user pass¬ 
words in AD, the new passwords overwrite 
the existing bindery, NDS, or eDirectory 
passwords. 

Or Using Third-Party 
Solutions? 

The password synchronization solutions I 
discuss in this article each have unique char¬ 
acteristics and target specific synchronization 
scenarios. Obviously many other password 
synchronization solutions exist. Password syn¬ 
chronization logic is included in all of today's 
identity provisioning software (e.g., IBM 
Tivoli Identity Manager, HP OpenView Select 
Identity). In addition, specialized password 
synchronization products are available (e.g., 
M-Tech's P-Synch, Courion's PasswordCou- 
rier). Comparing the non-Microsoft provision¬ 
ing solutions with ILM is difficult; the products 
have equivalent features and their differences 
are minor. However, the specialized password 
synchronization products stand out because 
they support a much wider range of connected 
repositories. These solutions also include a 
self-service password reset Web site (where 
end users can reset their passwords or unlock 
their accounts if they get locked out), a Help 
desk password reset portal (where Help desk 
personnel can reset passwords and unlock 
accounts), and several other key features such 
as a phone interface for password resets, auto¬ 
mated password expiration emails, and logon 
script password expiration notifications. Of 
course, these extra features aren't free—so you 
need to decide whether your needs justify their 
cost. Microsoft's password synchronization 
solutions might well be your best bet. ^ 
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DEPLOY A 


SINGLE Deliver key 

APPLICATION 



PROBLEM: 

You have a network of 
500 users, geographically 
dispersed on the company 
WAN. Payroll has chosen 
a new computer-based 
timesheet program 
that employees will 
use multiple times per 
week. HR is expected to 
implement a computer- 
based performance- 
evaluation system. Neither 
application is Web-based, 
and users travel among 
multiple offices. These 
applications need to be 
accessible from every 
computer on the network. 


SOLUTION: 

Build a Terminal Services 
environment to deliver 
these applications to end 
users at all locations 


WHAT YOU NEED: 

One server, Windows 
Server 2003/2000 license 
with CD-ROM, Terminal 
Services licensing server 
(can be installed on 
existing server), Terminal 
Services CAL for each 
user or device that will 
connect to the server 


DIFFICULTY: 

•••oo 


THROUGH 


BY NATE McALMOND 


A s networks grow and change, a problem 
that continues to plague administrators is 
how to deploy software to a certain number 
of desktops at a certain number of locations—with 
limited resources. IT guys have been coming up with 
creative solutions to this problem for quite some time. 
Some administrators fire up their Microsoft Systems 
Management Server (SMS) or Novell ZENworks serv¬ 
ers, whereas others turn to Citrix server farms. These 
are great tools for pushing software to the desktop, 
but many of us don't need anything quite that com¬ 
prehensive—not to mention expensive. If you need 
to deploy an in-house application, the option to 
make it Web-based might have been your decision 
from the start. 

My entire company revolves around a Web-based 
application that manages everything from finances 
and payroll to clinical treatment plans and document 
management. The software started as just a charac¬ 
ter-based emulator connected to a UNIX database, 
but over the years, the system's developers converted 
it to a Web-based solution and started adding more 
and more business processes into the system. How¬ 
ever, even though it's running in a Web browser, it 
still requires about 12 programs installed on each 
desktop to work properly. Even worse, in the begin¬ 
ning, these 12 programs didn't work so well most of 
the time, often requiring a reinstallation of one or 
more components before everything worked right. 
After a Microsoft Internet Explorer (IE) or lava update, 
they'd break again. Then, a couple months later, the 
developers would release an update and with it some 


additional or replacement software for the desktop. 
The software had to be installed as an administrator. 
To make matters worse, we're a non-profit company 
operating on a razor-thin budget, and the IT director 
assumed our four-man department would just drive 
to all 20 locations and manually install the desktop 
software. As a freshly crowned Windows 2000 Server 
MCSE, I decided I'd just slap together an MSI file and 
let Active Directory (AD) solve my problem. After a 
number of failed attempts at producing a working 
installation file with the free tool that came on the 
Win2K CD-ROM, I decided to see what kind of Micro¬ 
soft Terminal Services solution I could find. 

You've probably heard that one of the new features 
in Windows Server 2008 is the ability to present single 
applications from a terminal server. That new feature 
is merely a very nice improvement. In fact, Microsoft 
Terminal Services—without the aid of Citrix—has 
been able to provide access to single applications for 
quite a while, and for those of you who will be using 
Windows Server 2003 or even Win2K Server for the 
foreseeable future, here's how to do it. 

STEP 1: Install and 

Configure Your Server 

Unless you already have a terminal server running, 
you'll need to build your server. With this type of 
server, you really need to focus on performance. We 
use HP DL385 servers with twin Opteron processors 
and 4GB of RAM to support about 60 users per server 
with a full desktop. You don't have to go overboard, 
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applications to end users at all locations 


TERMINAL SERVICES 


but be sure to size the system correctly for your envi¬ 
ronment. (Hopefully, the quad-core systems will have 
a decent price point.) 

I highly recommend using RAID 1 configuration 
because it gives you some nice options down the road. 
For example, with a mirror, you can remove a disk 
whenever you're running a major update or perform¬ 
ing any type of risky change to the OS or software. If 
something goes wrong, you can shut the system down, 
switch disks, and boot the system off the unchanged 
disk. Then, simply pop the changed disk in and let it 
resynchronize with the unchanged disk. If you don't 
have hot-swappable hardware RAID, the steps will be 
different, but the idea is the same. In fact, if it's a small 
deployment and you're using a software mirror, you 
don't even have to remove a drive. Just break the mir¬ 
ror and make your changes. If everything goes well, 
simply add the unchanged drive back to the mirror 
and let it resynchronize. Another reason I like using 
mirrors is that it makes building future new servers 
a pretty quick process—provided you have matching 
hardware. You'll need to use Sysprep to prevent dupli¬ 
cate SIDs with existing servers, and change the name 
and IP address of the new server, but that's about it. 

Sufficient RAM is essential to a terminal server. 
Memory is fairly cheap, so I start with at least 1GB. 
How much you need depends on the amount of 
memory required by the applications you plan to 
deploy, multiplied by the number of users you expect 
to have on the system. I use Task Manager to get an 
idea of how much memory each user will consume. 
After you finish sizing and scaling your server, set 
your page file to double the amount of RAM—it's very 
important that the server not run out of memory. 

Next, you should disable unnecessary services. 
Letting unneeded services run only wastes system 
resources. For example, why leave the Windows 
Audio service running on a server that won't have 
any sound applications? Some services, such as the 


Remote Registry service, expose features that could 
make the server more vulnerable to attack. You can 
easily disable services through the Control Panel 
Services applet. For more information about which 
services are OK to leave running and which should 
be disabled, see the Learning Path. 

At this point, you should have a working Windows 
server that's ready to be converted to a terminal 
server. Open the Add or Remove Programs applet, 
click Add/Remove Windows Components, and 
add the Terminal Server component. (You'll need to 
insert the CD-ROM, or you'll need to have access to 
the \I386 folder.) 

As users log off the server and their sessions close, 
some applications won't remove their handles to reg¬ 
istry hives that were in use while the user was logged 
on. The result can be sessions not ending completely. 
Install the User Profile Hive Cleanup Service. (See the 
Learning Path.) In Windows 2003, you can see this 
phenomenon in the event log as an error—event ID 
1517 or 1524. 

You'll need to install Secure RDP. (See the “2X Thin 
Client Computing Software" link in the Learning Path.) 
Even if you don't use any of the settings of this program, 
its log file is much more useful than the information 
you'll find in the Windows event logs. Also, the tool 
has some great filters and options that you can use to 
lock down your system and change the way it behaves. 
You'll need some of the options later to make sure the 
system resets old connections as users log on. 

Because you'll be launching a single application 
from your remote desktop connection, you'll need 
to install a second network card so that you can still 
administer the server remotely. You'll need to assign a 
static IP to each NIC. This way, you can be sure which 
interface you're connecting to later. After you're done, 
one interface will be offering your application to clients 
and the other will be your remote connection to the 
desktop for administration. 
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US 

SOLUTION STEPS: 

1. Install and optimize 
Terminal Services. You’ll 
need to do a bit more than 
just add the component. 

2. Configure the 
connections. How do you 
want users to connect? 
Automatic logon? 
Disconnect? Limits? 

3. Deploy to end users. 
Save a remote desktop 
connection to your 
intranet (or file share) 
so that end users can 
browse and choose which 
applications they need to 
launch. 
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Learning Path 


WINDOWS IT PRO RESOURCES: 

“Dangerous Services, Part I,” InstantDoc I D 16301 
“Dangerous Services, Part 2,” InstantDoc I D 16363 
“Dangerous Services, Part 3,” InstantDoc I D 16476 
“Interactive Windows Logon Sessions,” InstantDoc 
I D 95113 

MICROSOFT RESOURCES: 

“Windows Server 2003 Terminal Services” 
http://www.microsoft.com/windowsserver2003/ 

technologies/terminalservices/default.mspx 

http://technet2.microsoft.com/windowsserver/en/ 

technologies/featured/termserv/default.mspx 

“Windows Server 2003 Terminal Server Security” 
http://www.microsoft.com/downloads/thankyou 

.aspx?familvld=402a0cdl-9e4d-4007-8eaf- 

c30623e7l250&displayLang=en 
“Windows Server 2003 Terminal Server Capacity 
and Scaling” 

http://www.microsoft.com/windowsserver2003/ 

techinfo/overview/tsscaling.mspx 
“How to override the license server discovery 
process in Windows Server 2003 Terminal 
Services” 

http://support.microsoft.com/kb/27956l 

“Windows 2000 Terminal Services” 
http://www.microsoft.com/technet/prodtechnol/ 

win2kts/default.mspx 

“Securing Windows 2000 Terminal Services” 
http://www.microsoft.com/technet/prodtechnol/ 

win2kts/maintain/optimize/secw2kts.mspx 
“Microsoft Windows 2000 Terminal Services 
Licensing” 

http://www.microsoft.com/technet/prodtechnol/ 

win2kts/evaluate/featfunc/tslicens.mspx 

“User Profile Hive Cleanup Service” 
http://www.microsoft.com/downloads/details 

.aspx?FamilylD=IB286E6D-89l2-4EI8-B570- 

42470E2F3582&displaylang=en 


OTHER RESOURCES: 


MSTerminalServices.org 
http://www.msterminalservices.org/ 
2X Thin Client Computing Software 
http://www.2x.com 



Keep in mind that you now have a system 
that presents a logon screen over the network. I 
would definitely consider changing the default 
port and changing the name of the local admin¬ 
istrator, as well as whether a domain adminis¬ 
trator should even be able to log on remotely. 
You'll find plenty of online information about 
securing a terminal server. The Learning Path 
contains two good resources. 


Next, ensure that your new server is ref¬ 
erencing a valid Terminal Services licensing 
server on your network. To do so, select Admin¬ 
istrative Tools, Terminal Services Configura¬ 
tion, Server Settings. By default, your server will 
be in Automatic discovery mode. Terminal Ser¬ 
vices won't work after 60 days unless it can find 
a valid licensing server. Installing a licensing 
server isn't difficult, but it's outside the scope 
of this article. For information about setting up 
a licensing server, see the Learning Path. 

If you're using Windows 2003, open the 
License server discovery mode setting under 
Server Settings. If you're in Automatic licens¬ 
ing server discovery mode, the server name 
will appear at the bottom of the window. You 
can also manually configure the licensing 
server. Win2K doesn't have a place to manu¬ 
ally specify a licensing server. So, if you have 
trouble getting the server to recognize an 
existing licensing server, you'll need to specify 
a licensing server by accessing the HI<EY_ 
LOCAL_MACHINE\SYSTEM\CurrentControl- 
Set\Services\TermService\Parameters registry 
subkey. Add the value DefaultLicenseServer, 
of data type REG_SZ. Replace the ServerName 
data value with the NetBIOS name of the licens¬ 
ing server. 

STEP 2: Set Up the 

Connections 

Now, it's time to configure the connections. In 
Administrative Tools, open Terminal Services 
Configuration and select the Connections 
folder. You should see the default connection 
already installed. 

For the purposes of this article, we'll use the 
default connection for administering the server 
and create a new connection for single applica¬ 
tion access. The trick is that each connection 
needs its own NIC. So, before you go any fur¬ 
ther, double-click the existing connection and 
go to the Network Adapter tab. Use the drop¬ 
down menu to assign this connection to one of 
the two NICs you installed during setup. Now 
is a good time to make all your other configu¬ 
ration changes, such as raising the encryption 
level on the General tab and permitting only 
administrators and members of the IT depart¬ 
ment to connect on this interface by changing 
the ACL to include only specific Windows users 
or groups on the Permissions tab. 

At this point, you should be able to go back 
to your desk, connect remotely to the default 


interface, install your application, and com¬ 
plete the setup. To get connected to the server, 
open Remote Desktop Connection from Start, 
Programs, Accessories, Communications. On 
the Remote Desktop Connection screen, for 
Computer, enter the IP of the NIC you assigned 
to your connection. Click the Connect button 
and log on to your server. 

Before beginning your installation, you 
need to open a command prompt and type 

change user /install 

This command moves user-specific .ini files 
to the system directory during the installation. 
Now, a master copy is available for other users. 
For more information, see the Microsoft arti¬ 
cle "Terminal Server Commands: CHANGE" 
(http://support.microsoft.com/kb/186504) . 

Now, install your application. After the 
installation is finished, go back to the com¬ 
mand prompt and type 

change user /execute 

Go back to Control Panel, Administrative Tools, 
Terminal Services Configuration and right-click 
the Connections folder. Choose Create New 
Connection, which starts the Terminal Ser¬ 
vices Connection Wizard. Most of the wizard's 
options are self-explanatory. Just be sure to 
choose the second network adapter when you 
get to the end. Double-click the connection you 
just created to open the Properties window. 

On the General tab, which Figure 1 shows, 
enter a comment that's descriptive enough to 
let other administrators know what the con¬ 
nection is for without having to tab through the 
properties. On this tab, you can also adjust the 
security settings and assign a digital certificate 
for running your connections over SSL. 

On the Logon Settings tab, you can con¬ 
figure the type of logon you'd like to use. By 
default, the regular Windows logon screen 
will appear and users will need to enter their 
username and password to log on. However, 
if you're deploying an application with its own 
user-accounts database or you just don't care 
who uses it, you might want to configure this 
connection to automatically log on. Doing so 
will make your application launch more like a 
regular desktop application. 

On the Sessions tab, which Figure 2 shows, 
you need to configure the options that tell the 
system what to do depending on the current 
state of the session. If you're not supplying 
logon credentials on the Sessions tab, select 
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RDP-Tcp Properties 
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Remote Control ] Client Settings j Network Adapter | Permissions 
General | Logon Settings j Sessions | Environment 


Type: M icrosof t R D P 5.2 

T ransport: top 

Comment: jFor remotely opening the calculator program on NI C2j 

Security- - 

Security layer: 

Communication between the server and the client will use native 
RDP encryption. 


JRDP Security Layer 


3 


Encryption level: | High 

All data sent between the client and the server is protected by 
encryption based on the server's maximum key strength. Clients 
that do not support this level of encryption cannot connect. 


3 


Certificate: |<none> 
More information... 


Edit... 


U se standard Windows logon interface 


Close 


Cancel 


Apply 


Figure 1: Adjusting security settings 


RDP-Tcp Properties 


-U*J 


Remote Control j Client Settings j Network Adapter j Permissions 
General j Logon Settings Sessions j Environment 

Use this tab to set Terminal Services timeout and reconnection settings. 


R jQvernde user settings: 

End a disconnected session: 


|l minute 


Active session limit: 
idle session limit: 


[Never 
J Never” 


1“ Override user settings 

When session limit is reached or connection is broken: 

(* Disconnect from session 
End session 

P Override user settings 

Allow reconnection: 

(* From any client 
P From previous client 


3 


3 

3 


Close 


} Cancel | Apply 


Figure 2: The Sessions tab 


the first Override user settings check box and 
set the End a disconnected session check box 
to 1 hour. With these settings configured, end 
users who have closed the connection without 
logging off will be removed and memory will 
be returned to the system. If you're supplying 
a username and password for automatic logon, 
select the second Override user settings check 
box and click the End session radio button. 

By default, once the user is logged on, the 
Windows desktop will appear and the user 
will need to launch the necessary application 
manually. On the Environment tab, you can 
configure the system to launch an application 
instead of showing the desktop. Select the Start 
the following program radio button, and enter 
the path to the application executable. 

The Remote Control tab isn't useful for 


automatic logon, so skip to the Client 
Settings tab. Unless you're a single- 
LAN company, you'll want to adjust 
the color depth down from the default 
16-bit to reduce the bandwidth your 
connection will require. For security 
reasons, many shops will want to 
also disable drive mapping. In fact, 
if you see something here that you 
don't think you'll need, just select the 
appropriate check box. (That's right, 
prepare yourself for some Microsoft 
backward-speak: You'll select items to 
disable them.) 

If you're going to be using an 
account for automatic logon, you'll 
need to adjust the security access simi¬ 
lar to the way you did before. Select the 
Permissions tab. Remove everyone but 
the Administrators group from the ACL, 
and add the account that will log on 
automatically. Click Apply, then Close. 

There are just a few more details to 
take care of. From the MMC Terminal 
Services Configuration snap-in, select 
the Server Settings folder and ensure 
that Restrict each user to one session 
is set to No. If you forget this step, the 
automatic logon account will be able 
to log on only once. When the second 
person tries to log on, he or she will get 
a message stating that more than one 
logon is forbidden. Before you turn 
users loose, you should also take care 
of printers. Open an MMC console, and 
add the Group Policy Object Editor for 
the Local Computer Policy. Expand 
to Local Computer Policy, Computer 
Configuration, Administrative Templates, 
Windows Components, Terminal Services, 
Client/Server data redirection, and click Ter¬ 
minal Server Fallback Printer Driver Behavior. 
Change the setting to Enabled, and configure 
the drop-down option to Show both PCL and 
PS if one is not found. Doing so will let your 
users print even if they don't have a recognized 
printer driver on their workstation. 

Technically, everything is working and 
ready for end users to start logging on. How¬ 
ever, if you're providing logon credentials, you 
need to make one more adjustment to ensure 
that sessions get closed in a timely manner. 
Open Secure RDP, and select Session Restric¬ 
tions in the left pane. Click Sessions per User 
and select the check boxes to reset discon¬ 


nected sessions. Next, choose to save and then 
apply the configuration from the File menu. 

STEP 3: 

Deliver to Users 

Now, you've got a server ready to distribute 
an application that you'd otherwise have to 
spend much time and energy determining 
how to deploy across the entire network—not 
to mention updating and upgrading. To save a 
connection for your end users, open Remote 
Desktop Connection again from Start, Pro¬ 
grams, Accessories, Communication; this time, 
type in the IP address or DNS name of the NIC 
associated with the connection you created 
earlier. Click the Options button to expand 
the window. Take a look at each of the tabs. 
Because users across a WAN will be using this 
application, I recommend that you change the 
colors on the Display tab to 256 Colors and 
allow only Bitmap caching on the Experience 
tab. On the General tab, use the Save As button 
to save a shortcut to a location where users will 
be able to access it. Make sure users have Read 
Only permissions. 

You can now build a Web page on your 
intranet with a link to the shortcut you just 
created. As you deploy more applications this 
way, save shortcuts and add links to them on 
your new intranet application directory Web 
page. Once you've added the necessary links 
in your directory and verified that everything 
is working correctly, send an email message 
to the appropriate department managers with 
instructions for finding the link to the new 
terminal server connection. 


Avoid Hassles 

You now have a centrally deployed application 
directory. From this point on, users will be 
able to access the software they need without 
requesting that IT install it for them. Also, when 
the time comes to upgrade or update these 
applications, you'll be able to do so by mak¬ 
ing the changes on your server—without ever 
touching any of the desktops. ^ 

InstantDoc ID 96337 
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Tired of Nursing 
Your Exchange 

Capi mrO 


Anyone who has given birth to an Exchange 
network knows it can get sick and needs 
some nursing to stay healthy. In fact, 72% 
of Exchange Administrators surveyed* have 
“experienced” an Exchange disaster (feels 
like the flu)—usually from improper feeding 
and care. 


Prevent Hiccups 


GOexchange removes errors, warnings and 
inconsistencies within the database—before 
major corruption makes the database fail. 

“GOexchange corrected 2,264 errors 
and 26 warnings. 99 


$7 


^Oefchang 


Like many databases, constant adding and 
deleting can corrupt an Exchange data file 
so it eventually turns sour. Replicating, 
archiving and backing up the data doesn’t 
stop the stink—it just stores it. You’ve 
got to... 

Fix the Problem 

You may have tried the free utilities to fix 
Exchange. While they help, they are too 
tedious, time consuming and lightweight to 
keep your Exchange baby healthy. You’ve 
tried the milk, now try some meat! 


Paul Ramos, Director IT 


Created By 


Run, Don’t Crawl 

In addition to fixing the database, 
GOexchange removes sluggishness and 
improves performance by re-indexing and 
defragmenting the database to permanently 
remove white space and deleted items. The 
end result is increased performance and 
stability with a compact efficient database 
that’s 31 to 55% smaller! Combine this 
with archiving and the database is up to 91% 
smaller—making it much quicker to backup. 
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Solutions Inspiring Confidence 


“Life before GO exchange...was 
an absolute nightmare, late nights, 
long weekends and upset users. 99 

Marty Grogan, CTO 


Stop The Crying 


Pamper Yourself with GOexchange 

It’s time to try GOexchange, from Lucid8, 
the #1 best-selling automated disaster 
prevention and optimization software for 
Microsoft Exchange 5.5, 2000, 2003 and 
2007. As the mother of all Exchange tools, 
GOexchange helps prevent disasters, repair 
problems, improves performance, and 
saves you a lot of time. 

“Without routine maintenance, 
decreasing performance, 
increased warnings and 
errors accumulate and 
database fragmentation 
transpires, leading to 
Exchange disasters. 99 

Gartner 


“..our information stores were reduced 
by 45-50%. 99 

Dale Huitt, Systems Lead 

Automated Babysitter 

First, GOexchange is easy to setup and use. 
Twenty minutes—that’s all it takes to get 
your server up and running. Just schedule it, 
and walk away! 

The software notifies the users, validates 
the database, runs the backup, conducts 
a comprehensive system analysis and 
diagnostics, logs the errors, and notifies you 
if it discovers a “stop” error—then it repairs 
and defragments the database, generates a 
thorough report and schedules the next event. 

You can do some of this work yourself, but 
why waste time doing repetitive maintenance, 
when GOexchange can do it for you—faster 
and more effectively than doing it by hand. 


Why not call now, or visit our resource 
site and leam how to reduce the risk, and 
avoid the pain. Protect your exchange data, 
maximize performance, and spend a weekend 
at home —instead of babysitting Exchange. 


/ \ 


Special Offer 

• Free Software for analysis of your 
Exchange server! 

• Free White Paper—“Basic Feeding 
of Your Exchange Server.” 

• Free Essential Guide to Exchange 
Preventative Maintenance 

Go to: www.Lucid8.com/GolTPro 
Call 425.456.8474 
E-mail: Sales@Lucid8.com 
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prepping to do before 
you can install the „ 



software - 



D eploying Microsoft Exchange Server 2007 requires 
careful planning. If you're bringing Exchange 2007 
into an organization with Exchange Server 2003 or 
Exchange 2000 Server, you can't just insert the installation 
disk into one of your existing Exchange servers and run 
the Exchange Server 2007 Setup wizard. Here's what you'll 
need to do to make sure your legacy organization is ready 
to receive the upgrade. 


Before You Begin 

Exchange 2007 runs only on 64-bit versions of Windows 
Server 2003. In contrast, Exchange 2003 runs only on 32- 
bit Windows Server OSs. Therefore, an in-place upgrade 
is impossible. If you want to bring Exchange 2007 into 
an Exchange 2003 organization, you'll have to perform a 
migration, which means installing 64-bit Windows 2003 on 
a new server, installing Exchange 2007, transferring data 
from an Exchange 2003 server, and then decommissioning 
the old server if necessary. 

You probably have a lot of money invested in the hard¬ 
ware that's currently running Exchange 2003. Assuming 
that your old servers meet the minimum recommended 
hardware requirements for running Exchange 2007—for 
example, they have processors that will work with both 

www.windowsitpro.com 


32-bit and 64-bit OSs—you might be able to reuse them. 
For example, you could migrate the contents of one of your 
existing servers to a new Exchange 2007 server. When that 
migration is complete and has been thoroughly tested, you 
can reformat the old server, install 64-bit Windows 2003 
on it, then install Exchange 2007. You could then migrate 
the contents of another server to this server, and so on, in 
a leapfrog approach to upgrading. In some instances, you 
might be able to get away with having to purchase only one 
new server. 


Brien Posey 

(http://www.brienposey 
.com) is the vice president 
of research for Relevant 
Technologies. He writes 
technical content fora 
variety of publications and 
Web sites. 


Initial AD Preparation 

Every version of Exchange Server since Exchange 2000 has 
been dependent on Active Directory (AD) for storing infor¬ 
mation about the organization. Exchange 2007 is no excep¬ 
tion, so you'll need to adequately prepare your AD prior to 
installing the first Exchange 2007 server. Yes, you'll have to 
extend the AD schema in order for AD to support Exchange 
2007, but this step comes later in the process (see the "Final 
AD Preparation" section below). Right now, you need to 
make sure the individual domain controllers (DCs) are 
ready for Exchange 2007. 

First, you should verify that your AD's schema 
master is running Windows 2003 SP1. You can 
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identify the schema master by inserting your 
Windows 2003 installation CD-ROM into the 
server's CD-ROM drive and double-clicking 
the adminpak.msi file found in the CD-ROM's 
1386 directory. Windows launches the Admin¬ 
istration Tools Pack Setup Wizard. Follow the 
wizard's prompts to install the administration 
tools pack. 

When the installation process is complete, 
close the setup wizard and open Microsoft 
Management Console (MMC). In the con¬ 
sole, select Add/Remove Snap-in from the 
File menu. Windows then displays the Add/ 
Remove Snap-in dialog box. Click Add on the 
Standalone tab to reveal a list of available snap- 
ins. Select the Active Directory Schema snap-in 
from the list, then click Add, Close, OK. 

Now that the snap-in has been loaded, 
right-click the Active Directory Schema con¬ 
tainer in the console tree, then click Opera¬ 
tions Master on the shortcut menu. As Figure 
1 shows, you'll see a dialog box that tells you 
which server is acting as the forest's schema 
master. After you've found the schema master, 
simply right-click the My Computer icon for 
that server, then select Properties to display 
the System Properties sheet, which tells you 
the server's OS and service pack level. 

The next step in preparing AD for Exchange 
2007 is to verify that the Global Catalog (GC) 
servers and sites containing Exchange serv¬ 
ers are running Windows 2003 SP1. You don't 
necessarily have to track down GC servers; 
a better method is simply to verify that every 
site containing an Exchange server has at least 
one DC running Windows 2003 SP1. A couple 
of advantages come with this requirement. 
First, running Windows 2003 SP1 on your DCs 
lets users browse the Address Book through 
Microsoft Outlook Web Access (OWA). Also, 
administrators are able to look up distribution 
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list memberships more efficiently. 

While we're on the subject of 
GC servers, this is a good time to 
decide whether yours are up to 
par. If your AD contains more than 
20,000 objects, you'll get better 
performance by running a 64-bit 
version of Windows 2003 on your 
GC servers. 

The last step in preparing AD (at 
least for now) is to make sure the 
functional level for any domains 
that will contain Exchange 2007 
servers is set to Windows 2000 
native or higher. Of course, it's 
preferable to have a domain functional level 
of Windows 2003, but you'll have to use the 
Windows 2000 functional level if the domain 
contains Windows 2000 Server-based DCs. 

To check a domain's functional level, open 
the MMC Active Directory Users and Comput¬ 
ers snap-in. Right-click the domain in the con¬ 
sole tree, and select Raise Domain Functional 
Level. You'll see a dialog box (which Figure 
2 shows) that displays the current functional 
level. If the domain is set to a functional level 
lower than Windows 2003, the dialog box gives 
you the option to raise the functional level. 

Preparing Your Exchange 
Organization 

After you've done your initial prep work on AD, 
it's time to turn your attention to your exist¬ 
ing Exchange organization and determine the 
scope of your upgrade. For example, are all your 
Exchange servers being upgraded to Exchange 
2007, or is the upgrade limited to a particular 
subset of your Exchange organization? 

By far the most important consideration is 
whether you have Exchange Server 5.5 servers 
present in your organization. Exchange 2007 
isn't compatible with Exchange 5.5. Therefore, 


Learning Path 


WINDOWS IT PRO RESOURCES: 

To learn more about deploying Exchange 2007: 

“Exchange Server 2007 New Features/’ InstantDoc 
I D 94501 

“Designing Your Exchange Server 2007 Infrastruc¬ 
ture,” InstantDoc I D 95687 
“Setting Up Exchange 2007,” InstantDoc ID 93599 
“Configuring Exchange Server 2007,” InstantDoc 
I D 96044 

“Exchange 2007 Transforms Message Routing,” 
InstantDoc ID 94859 

“Mixing Exchange 2003 and Exchange 2007,” 
InstantDoc ID 93762 

“An IT Pro’s Exchange Server 2007 Migration: As It 
Happens,” InstantDoc I D 95936 

MICROSOFT RESOURCES: 

To learn more about upgrading to Exchange 2007 in a 
coexistence environment: 

“Upgrading to Exchange 2007” 
http://technet.microsoft.com/en-us/library/ 

a3l3cQI6-0e5l-466e-a3de-953ele0d347d.aspx 
“Planning for Coexistence” 
http://technet.microsoft.com/en-us/library/ 

54c6e6d4-aal9-4d30-87b6-3lalca0l8a3f.aspx 

“How to Install Exchange 2007 in an Existing 
Exchange Server 2003 Organization” 
http://technet.microsoft.com/en-us/library/ 

bb!24350.aspx 

Additional tasks to consider when upgrading to 
Exchange 2007: 

“How to Set the SuppressStateChanges Registry 
Value” 

http://technet.microsoft.com/en-us/library/ 

875ae7f8-446d-478 6- 85d2-7l9ac7093cf6.aspx 
“Microsoft Exchange Server Best Practices Analyzer: 
Quick Start Guide” 

http://www.microsoft.com/technet/prod 

technol/exchange/20Q3/exbpaqsg 

^ InJ 

any Exchange 5.5 servers must be upgraded at 
least to Exchange 2000 before you can bring 
Exchange 2007 into 
your organization. 

Exchange 2007 is 
designed to coexist 
with Exchange 2003 
and Exchange 2000. 
However, Exchange 
2007 doesn't support 
all legacy features. 
Exchange 2000 ser¬ 
vices that aren't sup¬ 
ported by Exchange 
2007 include 
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• cc:Mail Connector 

• Exchange 2000 Conferencing Server 

• Instant Messaging Service 

• Key Management Service 

• Microsoft Exchange Chat Service 

• Microsoft Mobile Information Server 

• MS Mail Connector 

Also, Exchange 2007 doesn't support the 
following Exchange 2003 features: 

• Connector for Lotus Notes 

• Group Wise connector 

• X.400 connector 


After you decide which servers to 
upgrade to Exchange 2007, the next step 
in the process is to switch your Exchange 
organization into native mode, which essen¬ 
tially tells Exchange that there are no Exchange 
5.5 servers in the organization. Ill assume that 
you're working with only Exchange 2003; the 
exact procedure for switching to native mode 
is different if you're using Exchange 2000. 

To switch your Exchange organization into 
native mode, open Exchange System Manager, 
then right-click the node that represents your 
Exchange organization. Click Properties, and 
the console displays a dialog box that gives you 
the chance to switch to native mode. Note that 
this is a one-way conversion: You can't switch 
back to mixed mode, which is required for 
Exchange 5.5, after you make the change. As 
Figure 3 shows, when the process is complete, 
the dialog box indicates that the Exchange 
organization is running in native mode. 


Suppressing Link State 
Updates 

If your Exchange organization includes legacy 
servers, you might have to tweak the registry 
on those servers to suppress link state updates. 
Exchange 2007 requires that link state informa¬ 
tion is suppressed, but you'll have to make this 
modification only if your organization contains 
more than one Routing Group Connector. 

Before I show you what to do, I have to 
keep the lawyers happy by mentioning that 
modifying the registry is dangerous. You can 
destroy Windows and your applications if you 
make incorrect registry modifications. I there¬ 
fore recommend making a full system backup 
before continuing. 

With that said, open the registry editor 
(regeditexe) on each of your legacy Exchange 
servers and navigate to the HKEY_LOCAL_ 


Figure 3: 


Switching your Exchange 
organization into native mode 


MACHINE\System\CurrentControlSet\Ser- 
vices\RESvc\Parameters subkey. Right-click 
the Parameters container and select New, 
DWORD. When prompted, create a DWORD 
value named SuppressStateChanges and set 
the Value data field to 1. When you're done, 
restart the SMTP service, the Message Transfer 
Agent (MTA) Stacks service, and the Exchange 
Routing Engine service. 

If you have a lot of legacy servers, you can 
perform the registry edit on one server, then 
export the registry subkey to a file. You could 
then push the file to the other servers. When 
each server opens the file, the change will be 
made to its registry. 


Final AD Preparation 

As you might recall, when you installed 
Exchange 2003 for the first time, you could pre¬ 
pare AD by running Setup with the ForestPrep 
and DomainPrep switches. If you neglected 
to perform these tasks, Setup would perform 
them automatically when you attempted to 
install Exchange 2003. Exchange 2007 offers 
you a similar AD preparation mechanism that 
you can run before installation. 

Before proceeding, you should perform 
a full system-state backup of your schema 
master and of at least one DC in each domain 
that will contain an Exchange 2007 server. The 
commands I'm about to show you modify the 
AD schema, so you'll want a current backup 
should something go wrong during the AD 
preparation process. 

The first command you must run is 

setup /PrepareLegacyExchangePermissions 

This command sets some necessary permis¬ 
sions in portions of AD that Setup will modify 
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SREQUIREDREADING I Upgrading to Exchange Server 2007 


HP BY STEP to Exchange 2007 

Moving to Exchange Server 2007 is a big project. Even after you've gotten your budget 
approved and your new hardware in place and have read all the support documents Micro¬ 
soft has to offer, you still have to complete a list of tasks to prepare your organization for the 
upgrade. Here's a brief look at what you need to do to ready Active Directory (AD) and your 
legacy organization for the change: 

STEP I: Determine whether you can use some of your existing hardware; if so, you might 
be able to save some money and employ a leapfrog upgrade approach 

STEP 2: Verify that your AD's schema master is running Windows Server 2003 SP1. 

STEP 3 l Verify that every site containing an Exchange server has at least one DC running 
Windows 2003 SP1. 

STEP 4: Make sure the functional level for any domains that will contain Exchange 2007 
servers is set to Windows 2000 native or higher. 

STEP 5: Upgrade any Exchange Server 5.5 servers to at least Exchange 2000 Server. Be 
aware that not all Exchange 2003 and Exchange 2000 features are supported by 
Exchange 2007. 

STEP 6: Switch your Exchange organization into native mode. 

STEP 7: Modify the registry of Exchange 2003 and Exchange 2000 servers to suppress 
link state updates. 

STEP 8: Finalize AD preparation by running Setup commands to set necessary permis¬ 
sions, extend the AD schema, and prepare AD and the domains. 

STEP 9: Run the Exchange Server Best Practices Analyzer (ExBPA)'s Exchange 2007 
readiness check. 
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during the remaining steps. If you skip this 
step but run the remaining commands, the 
Recipient Update Service will fail on your 
Exchange 2003 and Exchange 
2000 servers. 

The next step in the process 
is to extend the AD schema by 
entering the following com¬ 
mand: 

setup /PrepareSchema 

After the schema has been 
extended, it's time to prepare 
AD with the following com¬ 
mand: 


setup /PrepareAD 

This command creates the 
Exchange 2007 administrative 
group, the Exchange Univer¬ 
sal Security Group, and the 
Exchange 2007 routing group. 
The last step in the AD 
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preparation process is to prepare the indi¬ 
vidual domains in which Exchange servers 
will reside by typing the command 
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Figure 4: Verifying readiness with ExBPA 
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setup /PrepareDomain:<target domain> 

For target domain, use the Fully Qualified 
Domain Name. If you have a lot of domains 
that will host Exchange 2007 servers, you can 
take a shortcut by preparing all of the domains 
at once with the command 

setup /PrepareAl(.Domains 

Checking for Readiness 

You should now be able to run Setup and 
install Exchange 2007. Before you do, though, 
I recommend performing one last check: 
Run the Exchange Server Best Practices Ana¬ 
lyzer (ExBPA) to make sure that the exist¬ 
ing Exchange organization is ready. You can 
download the latest version of this free tool 
from http://www.microsoft.com/exchange/ 
exbpa. At the time this article was written, the 
most recent version was 2.7. The machine that 
you install ExBPA on must be running Micro¬ 
soft .NET Framework 1.1 and must have the IIS 
Common Files installed. 

You'll also need to download the latest 
updates for ExBPA because the Exchange 2007 
readiness check isn't included in version 2.7. 
When the updates have been downloaded and 
installed, restart ExBPA and click the link to go 
to the Welcome screen, followed by the link to 
select options for a new scan. Now, verify that 
ExBPA is displaying the name of one of your 
DCs, then click Connect to the Active Directory 
server. You'll see a screen that lets you set the 
scope and type of scan you want to perform. 
As Figure 4 shows, an Exchange 2007 readiness 
check is one of the options 
you can choose. Use this 
check to verify that your AD 
and your existing Exchange 
organization are adequately 
prepared to accept Exchange 
2007. 

You're now prepared to 
complete the Exchange 2007 
upgrade process. You can 
install Exchange 2007, then 
migrate the data from legacy 
servers that your Exchange 
2007 server will replace. For 
a quick reference on the 
tasks to prepare your legacy 
organization for upgrading, 
see the sidebar "Step by Step 
to Exchange 2007." ^ 
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M icrosoft Office SharePoint Server 
(MOSS) 2007 answers many busi¬ 
ness needs, from document stor¬ 
age and information sharing to centralized 
project tracking to exposing business intel¬ 
ligence (BI) data. As such, MOSS is considered 
a business-critical application in most orga¬ 
nizations, and therefore you need to ensure 
that the services provided are available when 
needed. In this overview of MOSS 2007 high 
availability, I discuss four key areas that will 
help you design and deploy a highly avail¬ 
able SharePoint environment: selecting the 
appropriate architecture, understanding core 
services and their availability options, imple¬ 
menting your high-availability strategy, and 
planning for failures. 


Learning Path 


WINDOWS IT PRO RESOURCES: 

“SharePoint Server 2007 Revealed,” InstantDoc ID 
94914 

“Coordinate a Virtualized Environment for Share- 
Point,” InstantDoc I D 95846 
“Virtualization Technologies,” InstantDoc I D 93137 
“Vmware ESX Server 2.0,” InstantDoc I D 48409 
“What Is Network Load Balancing (NLB)?” Instant¬ 
Doc I D 49925 

MICROSOFT RESOURCES: 

“Office SharePoint Server 2007” 
http://go.microsoft.com/fwlink/7Linklch84739 

“Planning and architecture for Office SharePoint 
Server 2007” 

http://technet2.microsoft.com/0ffice/en-us/library/ 

6899a44a-6a22-4cdd-a734-dl9aec4dfca7l033 

.mspx?mfr=true 

“Plan to deploy index and query servers (Office 
SharePoint Server for Search)” 
http://technet2.microsoft.com/0ffice/en-us/library/ 
6899a44a-6a22-4cdri°a734-dl9aec4dfca7l033 
.mspx?mfr=true 

“Introducing Microsoft Cluster Service (MSCS) in the 
Windows Server 2003 Family” 
http://msdn2.microsoft.com/en-us/ 

Iibrary/ms95240l.aspx 


Architecture Selection 

There are many ways to design a MOSS farm, 
but it's important to choose a farm layout that 
is conducive to high availability. Factors such 
as budget, availability of hardware, desired 
performance, and service level agreements 
(SLAs) will affect the number of servers in 
your farm and their placement. There are two 
basic SharePoint architectures that provide 
high availability: the two-tier architecture and 
the three-tier architecture. Figure 1, page 68, 
illustrates both architectures. 

The Web content tier consists of servers that 
host the Microsoft IIS Web sites that deliver 
content to the end user. The application tier 
hosts all the background services (e.g., Excel 
Web Access, Search) that are used by Web parts 
to display information to the end user. 

The two-tier approach features a clustered 
Microsoft SQL Server back end and a Web 
server front end. In this scenario, the front-end 
servers host the Web content and the applica¬ 
tion-tier functionality. The benefit of the two- 
tier approach is that it's simpler to design and 
implement than the three-tier setup. The major 
drawback comes in potential performance loss 
if there's a heavy reliance on Excel Calculation 
Services, which performs calculations on Excel 
workbooks stored in the database, and other 
application-layer services. 

In the three-tier design, Web servers serve 
only Web content, and the application services 
are delegated their own servers. You need to 
keep in mind a few caveats, which I discuss 
later on a per-service basis. The main ben¬ 
efit of the three-tier approach is that it's highly 
scalable, allowing for easy expansion. On the 
downside, it's more complex and harder to 
monitor and maintain. 

You also need a load-balancing technology. 
Network Load Balancing (NLB) and Micro¬ 
soft Cluster Service (MSCS) are Microsoft's 
two load-balancing technologies. In an NLB 
architecture, machines host the same data and 
share an IP address that clients use to access 
the load-balanced site or service. Requests are 
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divided up between the load-balanced hosts 
according to rules set by an administrator. In 
an MSCS environment, hosted services reside 
in virtual servers. Virtual servers are a group of 
services required to run a clustered application; 
they are coupled with an IP address, network 
name, and usually a shared physical disk that 
all nodes in the cluster have access to. When 
one node fails, the next node configured as a 
possible owner of the service takes the shared 
resources (IP, network name, physical disk) and 
starts the necessary services, thereby starting 
the virtual server. In our example, we'll use NLB 
on front-end servers and MSCS to cluster the 
SQL Server back end. 

Note that when load-balancing the front- 
end servers, keep in mind that NLB operating 
in unicast mode with a single NIC will prevent 
inter-host communications, possibly interfer¬ 
ing with the functionality of the farm. In this 
situation, it's usually best to implement the NLB 
cluster in Internet Group Management Protocol 
(IGMP) multicast mode (provided your switch 
vendor supports this). Alternatively, you can 
use a third-party hardware load-balancing solu¬ 
tion. 

Because failover clusters depend on their 
shared storage, your storage design is impor¬ 
tant. There are many shared-storage devices 
available today, taking advantage of different 
technologies from Fibre Channel to iSCSI. The 
one consideration that you need to take into 
account regardless of the technology lever- 
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Table 1: 

Making SharePoint Services Redundant 

Service 

Method 

Caveats 

Web Server 

Redundant with NLB 

NLB operating in unicast mode with one NIC will pre¬ 
vent interhost communications. Implement the NLB 
cluster in IGMP multicast mode or use a third-party 
hardware load-balancing solution. 

Query 

Redundant when 
run on multiple 
servers 

Can’t be deployed in a redundant fashion when 
installed on the server running the Index service 



Press Frame to Content to make 
table fit text box 
(Opt+Cmd+C) 

Excel Calculation 
Services 

Redundant when 
run on multiple 
servers 

Potentially resource intensive; consider dedicating 
servers for this 


aged is storage redundancy. It does no good to 
have redundant servers if your storage device 
represents a possible single point of failure. If 
the situation warrants redundancy, it probably 
warrants redundant storage devices. For both 
two-tier and three-tier scenarios, SQL Server 
must be set in an active/passive failover cluster. 
This provides for redundancy and ensures that 
the failure of one node doesn't affect the avail¬ 
ability of the database. 

Services and Availability Options 

Knowing the core SharePoint services, their 
functions, and methods for providing redun¬ 
dancy, when possible, will help you keep the 
server farm highly available. MOSS 2007 has 
five key services: 


Figure 1: 
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three-tier 
SharePoint 
architectures 
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• The Web Server serves Web content to end 
users. 

• The Query service provides query function¬ 
ality for MOSS 2007 search. 

• Excel Calculation Services performs calcula¬ 
tions on Excel workbooks stored in the data¬ 
base. 

• The Index service collects and propagates 
the results of SharePoint Search crawls. This 
information is then used by the Query ser¬ 
vice to return search results. 

• Windows SharePoint Services (WSS) 3.0 
Search provides search functionality in the 
absence of Query and Index services, and 
provides full text search of SharePoint Help. 

Only the first three services in the list can be 
made redundant in your server farm, and Table 
1 shows you how to do so. The remaining two 
services, WSS Search and the Index service, 
can't be made redundant. 

The WSS Search service isn't required if 
you're running the Query service and the Index 
service, unless you want full-text search in Share- 
Point Help. If you do, you can run WSS Search 
on the same server farm as the Query and Index 
services with no change in functionality. 

Note that although you can't make these 
services redundant via load balancing or by 
installing them on multiple servers, it's possible 
to make them redundant by installing them on 
a Microsoft Virtual Server virtual machine (VM) 
and using MSCS to cluster them. Bear in mind 
that this redundancy protects only from hard¬ 
ware issues, and might not provide the desired 
level of performance. For more information on 
clustering VMs, visit http://www.windowsitpro 
.com/articles/index.cfm?articleid=45901&feed 
=articleLink. 

You can attain database redundancy by 
using a clustered SQL Server configuration; 

officesharepointpro.com 












































Figure 3: 

Entering 

configuration 

database 

settings 



•yi&r. v <:■>?* ^ ih* r^rhiy-J ttiWf UK-toomti 

I' «nr xfrfj Jji i-v-- r. i.-..:Jrij .11 ■ i -«t tt " -:\i iuf h."t>J'v % dw 3. • 

F-ff+ pa Htrf fi Ira hmDOHOi^Jlri «jpMMudl>x » wr. 


yvtrnn+jnrfiTf.T 


Jgj 


J ^ I 


you would then configure SharePoint to use the 
SQL cluster virtual server during installation. 
For more information about clustering SQL 
Server, see the SQL Server 2005 Books Online 
(BOL— http://technet.microsoft.com/en-us/ 
sqlserver/bb428874.aspx) materials and search 
for "clustering." 

Note: During the install of SQL Server 2005 
to multiple cluster nodes, keep in mind that the 
installation must be performed from one of the 
nodes; however, if you're logged on to one of 
the other target nodes during the installation, 
the install on that node will fail. 

Implementation 

To maintain a highly available SharePoint envi¬ 
ronment, you need to ensure that the availabil¬ 
ity options at each tier of your architecture meet 

It does no good 
to have redundant 
servers if your 
storage device 
represents a 
possible single 
point of failure. 

your needs. The following procedures relate to 
the three-tier architectural model: Web servers 
in one tier, application services in another tier, 
and the database back end in the third tier. To 
accomplish the following implementation tasks 
in a two-tier environment, just add the applica¬ 
tion server services to the Web servers. 

Web servers. To make Web servers highly 


available, you need two or more servers. You 
also need to run NLB or use an external load 
balancer. 

The first step is to install MOSS on the 
servers you'll be using for the Web front end. 
When you begin the installation, you'll be 
prompted whether you want to perform a Basic 
or Advanced installation. Because this won't be 
a standalone installation, select Advanced, and 
on the next page, select Web Front End-Only 
install components required to render content to 
users, as Figure 2 shows. Then click Install Now. 
When the installation completes, click Close, 
which opens the SharePoint Products and 
Technologies Configuration Wizard. Proceed 
through the wizard by performing these steps: 

1. Click Next at the Welcome screen and 
click Yes in the dialog box that advises that you 
might have to start or reset related services dur¬ 
ing configuration. 

2. Next, select whether you want to connect 
to an existing farm or start a new one. 

3. Specify the configuration database server 
and the name of the database, as Figure 3 shows. 


Then enter the credentials for the account that 
the machine will use to connect to the configu¬ 
ration database. 

4. If you want to install the Central Admin¬ 
istration Web application on your Web server, 
select that check box and note the port number 
(in case you want to load balance it across your 
Web servers). You'll see a summary of your 
choices. Confirm that they're correct and click 
Next. Click Finish. 

After you install MOSS on your Web servers, 
you'll need to configure load balancing. For 
this example, I show you how to set up NLB 
with IGMP Multicast on Windows Server 2003. 
I prefer to use the Network Load Balancing 
Manager, which you'll find under the Windows 
2003 Administrative Tools menu. To set up NLB, 
perform these steps: 

1. Start the Network Load Balancing Man¬ 
ager on any machine in the domain and click 
Cluster, New. 

2. On the Cluster Parameters screen, enter 
the cluster's IP address and Subnet mask. Under 
Cluster operation mode, select the Multicast 
option and the IGMP Multicast check box, as 
Figure 4, page 70, shows. Click Next. 

3. You'll be prompted to enter additional 
cluster IP addresses, which is handy if you plan 
to host multiple Secure Sockets Layer (SSL) 
sites and want them to be load balanced. Click 
Next. 

4. Next, you need to configure port rules. 
Using the options here, you can specify which 
ports are load balanced on a per IP address 
basis. This means that if you're only hosting one 
protocol in your NLB cluster (e.g., HTTP), you 
need to open only the related ports. Click Next. 

5. On this screen, you specify the first host to 
be added to the cluster. Enter the name of one 
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Figure 4: 

Setting 

cluster 

parameters 


of your Web servers and click Next. This screen 
shows the configuration of the host you've 
selected. It contains the host priority (which is 
the host ID within the cluster), the dedicated IP 
information of the host, and the initial host state 
(the defaults is Started). Click Finish. 

6. The left panel of the Network Load Balanc¬ 
ing Manager shows your first host along with its 
description and state, as Figure 5 shows. 

7. Click Cluster, Add Host, and enter the 
name of the next host you want to join to the 
cluster. Click Next, then click Finish. Repeat this 
step for each host you want to add. 

Don't forget to add DNS records that point to 
the NLB cluster IP address for the sites you're 
load-balancing. 

Application servers. You can run the Query 
service on any number of application servers. 
However, the Query and Index services can't 
reside on the same server. If they do, the Index 
service recognizes that the Query service is 
installed and it won't propagate the index. If 
the content you're hosting is relatively static 
(50 percent or more of the requests for your 
Web servers are for static content), you can see 
a potential performance boost by moving the 


Query service to your Web servers. The resulting 
performance boost is due to the content cach¬ 
ing done by the Query service. 

Excel Calculation Services provides support 
for server-side calculation of workbooks hosted 
through Excel Web Access in MOSS 2007. A 
request to process a workbook is sent to a server 
running Excel Calculation Services. The service 
stores session-state information so that the 
same server processes the request until the user 
session ends or the workbook is closed. 

Excel Calculation Services is a resource¬ 
intensive service, so in large environments 
with heavy utilization of complex workbooks, 
you might want to dedicate a couple of high 
power servers solely to this service. I've worked 
at companies that relied on workbooks so com¬ 
plex that it took a high-end, dual-core machine 
longer than an hour to do the calculations on 
them. Cases like that let you see SharePoint's 
true value. If you upload the workbook and 
make it accessible through Excel Web Access, 
the calculations are performed from a central 
location, and you need to buy only the appli¬ 
cation servers instead of buying expensive 
workstations for all employees that need to 
view the worksheets. Keep in mind, though, 



that because these operations are so resource- 
intensive, they might affect other services run¬ 
ning on the servers. 

Failure Management 

Despite all precautions, failures will occur. If a 
failure involving any of the redundant services 
occurs, the server will be unavailable, but the 
service will continue to function. For this rea¬ 
son, it's important that you have a monitoring 
solution in place, such as Microsoft System 
Center Operations Manager, that will notify 
administrators in the event of a failure. Here's 
how to handle a failure, depending on which 
server fails: 

• Web servers—If a Web server fails, the server 
will no longer be running on the virtual IP 
address and NLB won't direct requests to it. 
Repair the server, and bring it back up in the 
NLB cluster. 

• Application servers—If a server hosting 
Excel Calculation Services or the Query 
service fails, that server will no longer 
respond to requests, and those requests will 
go to another server hosting the service. If 

a server hosting the Index service fails, the 
Query servers will continue to respond using 
cached information. After the server is recov¬ 
ered, index propagation will resume. 

• SQL Server (database) server—In a clustered 
environment, SQL Server will fail over to 
the inactive node in the event of a failure. 

It's important to repair the failed node and 
test failover/failback to ensure uptime in the 
event of future failures. 

It’s All About Reliability 

SharePoint is a crucial application in most 
environments, necessitating a high-availability 
infrastructure. The two-tier and three-tier archi¬ 
tectures satisfy the need for high availability by 
placing services that can be made redundant on 
multiple hosts, and NLB and MSCS technolo¬ 
gies provide continuous access to content in 
the event of a single cluster node failure. Using 
the available tools, administrators can enable 
the necessary reliability to ensure that data and 
productivity are maintained. ^ 
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security, disaster 
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File Area Networks: Your First 
Look at FAN Technology 

Gain control over the growing amount 
of file data in your enterprise. Learn 
how File Area Networks (FANs) can 
help you centralize file consolidation, 
migration, replication, and failover. 
Start streamlining your file 
management projects today! 
windowsitpro.com/go/brocade/augad 

Data Protection and Disaster 
Recovery Tips 

Discover a wealth of information about 
how to protect and secure your data 
in the event of a disaster. You may not 
be able to predict the exact details of a 
disaster, but you can be prepared with 
a solid response for when one strikes. 
Disaster can strike anywhere—not 
just where severe weather can hit—so 
make sure you’re ready when it does. 
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Messaging Management 

A secure mail and messaging 
infrastructure is fundamental to your 
business and any organization should 
plan for the appropriate message 
hygiene, availability, and control 
services from the start. Introduce 
yourself to three fundamental mail and 
messaging management services— 
security, availability and control servic¬ 
es—and learn howto implement them. 
windowsitpro.com/go/symantec/augad 

Backup and Recovery 
Survival Guide 

You can’t control what nature throws 
at your IT systems, or what people 
may do. Learn to protect your 
business in the face of a natural 
or human-made disaster. 
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Liberate Your Inner Salesperson 

Effective selling is just a shift in attitude and perspective 


A s Blake, the quintessential real estate salesman, 
scolds a group of underperforming colleagues in 
David Mamet's brilliant movie about the art and 
war of sales, Glengarry Glen Ross, he says, "Put that coffee 
down! Coffee is for closers only" 

Sales is a different beast altogether from the land of rout¬ 
ers, servers, and Ethernet cards. In fact, many of us went into 
IT specifically to get out of sales. But that's not to say we never 
have to sell. More than we might like, even in IT we have 
to sell our solutions and services to other business groups 
and IT consumers in our organization. Whenever you need 
something from someone who might not be inclined to give 
it to you, you'll benefit by understanding how to sell. 

In the world at large, sales is about getting a customer to 
pay the most he or she is willing and able to pay for a good 
or service. In IT, sales is more about convincing a business 
group to replace an old line of business (LOB) application 
with a new one, getting a manager to sign off on a new rack 
of servers, or even persuading another IT group to use a 
different process or platform. Like it or not, the success of 
many IT projects hinges less on the technical quality of the 
solution than it does on selling the project to those who will 
implement it. As Blake later tells his cohorts, first prize in the 
sales contest is a Cadillac, second prize is a set of steak knifes, 
and third prize is "You're fired." Here are four essential tips 
for unleashing your inner salesperson. 

TIP 1: Master the Basics 

Sales is one part relationship building and one part persua¬ 
sion. Relationship building is the art of acquiring potential 
customers and warming them up for the pitch, and persua¬ 
sion is the science of closing the deal. 

In the relationship phase, a good salesperson builds 
a foundation of trust and credibility. Salespeople gener¬ 
ally build trust by finding things they have in common 
with their customers and progressively exchanging more 
information. For instance, upon finding out that a cus¬ 
tomer is from an area the salesperson is familiar with, 
the salesperson might share an anecdote about his or her 
experiences there, thereby starting a relationship around a 
common geographical area or culture. Before moving to the 
persuasion phase, an effective salesperson also establishes 
credibility with regard to the product he or she is trying 
to sell. The most common way salespeople do that is by 
reciting specification details for the product they're selling 
and demonstrating the benefits. If the salesperson can't 
establish credibility as a source of information, the buyer's 
doubt will likely prevail. 


In the persuasion phase, the salesperson concentrates 
on the benefits the product. The objective is to make the 
custumer feel so good about deciding to buy the product 
that he or she can't wait to sign on the dotted line. 

In the relationship building and persuasion phases, you 
need to be energetic, assertive, and relentlessly positive. 
You're priming the customer or stakeholder to make a big 
decision, and if he or she isn't excited, empowered, and 
smiling inside and out, you probably won't close the deal. 
If you don't believe—and clearly project—that your product 
or idea is the greatest thing since the integrated circuit, you 
certainly can't expect your customer to think so. 

TIP 2: Hear What the Cus¬ 
tomer Is Really Saying 

Customers always have questions. They want to know 
what they're getting, what they're not getting, and how the 
solution will perform for them in the ways that they'll want 
to use it. 

The catch is that customers rarely ask the questions that 
they really want answered. You need to listen carefully to 
what the customer asks and answer not only the stated ques¬ 
tion, but also the real question that underlies it. For example, 
when considering a new LOB application that your group has 
developed, a business manager might ask you how many 
transactions per second your application can achieve. The 
technical geek in you will be tempted to say something like 
"on a fiber-optic network, the server can do up to l,500tps." 
But that response, while informative, doesn't answer the 
question the business manager really wants answered. 

Although the business manager asked about transac¬ 
tions per second, she actually wants to know whether 
your application will have the performance that her group 
needs. The answer you should give to this question (if you 
truthfully can) is that your application can scale to whatever 
throughput her business can generate. If business doubles 
in capacity, you can double the transactions per second. If 
her business doesn't grow (which of course you could never 
imagine), your application can be right-sized to meet the 
group's needs. 



Ben Smith 

_ 

is a security strategist 
at Microsoft, where he 
researches methods to 
help organizations achieve 
better security through 
improved management and 
measurement techniques. 
He is coauthor of Assess¬ 
ing Network Security 
(Microsoft Press). 


TIP 3: Sell the Freedom, Not 
the Car 

A great salesperson doesn't sell the product but rather 
an experience or emotion related to it. Cars are the best 
example of how this sales principle works. 

One car is very much like another, but from watching 
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automobile ads and listening to car salesmen, 
you'd never know that. For example, if you're 
in the market for a convertible, the salesperson 
sells sunny days, hair blowing in the wind, and 
freedom. If you're shopping for a gas-electric 
hybrid, the salesperson sells clean water, rain¬ 
forests, and Earth Day. And if a luxury sedan is 
more your style, the salesperson sells reputa¬ 
tion, status, and country clubs. 

Selling IT is no different. Say your company 


call center's legacy ticketing application costs 
twice as much to manage as would the up- 
to-date version of the product. You'd like the 
call center to upgrade the application, but the 
call center managers might hesitate to disrupt 
business continuity. 

Now you must become a salesperson. If 
you want the call center to upgrade its ticketing 
application, start by finding out how the call 
center managers' performance is measured, 


then sell the benefits of the application that 
relate to those metrics rather than the appli¬ 
cation's benefits to your team. For instance, if 
you find that the managers are evaluated on 
call turnaround times, sell the speed of the new 
application. If they are evaluated on uptime, 
sell the application's fault tolerance. The bot¬ 
tom line is that the call center is going to use 
some application—you just want it to be the 
one that you want, too. 

TIP 4: Eliminate Rea¬ 
sons Not to Buy 

Alternatives are the leverage that buyers have 
in a negotiation: They can always walk away 
because they have an existing solution that's 
good enough or because they can consider 
other solutions. When you're selling, you need 
to eliminate all the reasons that the customer 
might consider the alternatives. The best way 
to do so is to create apples-to-apples com¬ 
parisons in which your solution is clearly 
competitive, then present apples-to-oranges 
comparisons showing that your solution 
does things the alternatives can't possibly do. 
Whenever you hear a business or IT manager 
give you reasons why he or she is unlikely to 
implement your solution, make a mental note. 
At some point, you have to counter that think¬ 
ing before you can close the sale. 

For example, if an IT executive is hemming 
and hawing about the cost of a new rack of 
servers, you'd first clearly articulate the cost 
of not funding the servers. Then you might 
create a compromise point by offering to set a 
management target of reducing the cost of the 
new servers by 10 percent. 

A Shift in Attitude 

A lot of great sales training is available free. 
Just tune into some late-night TV infomercials 
and watch how the hosts use these four sales 
tips to sell everything from kitchen appliances 
to cleaning supplies to exercise equipment. 
You could almost substitute the product in 
one informercial with that in another without 
changing the dialog or spirit. 

Although at times you might feel that 
becoming an effective salesperson requires 
that you sell your soul to the devil, successful 
selling is actually just a shift in attitude and 
perspective. And remember, coffee is for clos¬ 
ers only. ^ 
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Thwarting Integrity Attacks with Chml 

Don’t freak out—here are 3 ways to run with the System integrity level 


L ast month, in "Chml Fills the Gap" (InstantDoc ID 
95973) , I introduced you to Chml, a utility I created 
for exploiting the new Windows Vista integrity 
levels to potentially shore up your computer's security. 
You'll recall from my past two columns that integrity levels 
resemble file permissions—but they also override file per¬ 
missions. In other words, if integrity levels deny you access 
to an object, you're denied access to that object even if you 
have Full Control permission on that object. 

Last month, I wrote that integrity levels support a largely 
undocumented but useful notion called no read up, which 
denies Read access to an object that holds a higher integrity 
level than the process (e.g., Microsoft Internet Explorer—IE, 
Word) trying to read it. This month, I return to the more 
well documented integrity-level feature called no write up, 
which blocks any lower-integrity process from modifying a 
higher-integrity object. But I take the discussion a bit further 
by exploring how to assume the System integrity level. 

You’re Kidding! 

Vista recognizes five levels of integrity: Untrusted, Low, 
Medium, High, and System. (Another, even higher level called 
Protected Process isn't accessible or in use, as far as I can see.) 
Standard users typically operate as Medium integrity, and 
administrative users operate as High integrity. Notice, how¬ 
ever, that Windows recognizes an integrity level higher than 
the level that administrators enjoy: the System level. 

When I first learned that Vista included an integrity level 
above that of administrators, I freaked out: "What!? Micro¬ 
soft has placed things on my own Vista laptop that I can't 
delete?" Indeed, early versions of Vista kept administrators 
from accidentally deleting system files by giving those 
files the System integrity level. But when Vista beta testers 
complained that they couldn't delete items on their own 
computer, Microsoft removed the System integrity level 
from the files in the Windows folder. 

Nevertheless, the System integrity level still worries me. 
What if a malicious user figures out howto install malware on 
my system and grant it the System integrity level? I wouldn't 
even be able to delete that malware, despite the fact that the 
Administrators group has Full Control permissions on every 
folder on the computer. Would my only option be to simply 
wipe the hard disk clean and start over? Thankfully, no. 

Triple Play 

I've discovered three ways to run Chml with the System 
integrity level. The first way to run Chml with the System 


integrity level is to simply boot your system with a Windows 
Preinstallation Environment (PE) CD-ROM. When you run 
Windows PE, you're running in the context of the System 
account, and—not surprisingly—the System account runs 
with the System integrity level. 

So, if you were to come across some malware installed 
at the System integrity level, you'd need only to boot the 
afflicted computer with Windows PE and use Chml to 
lower the malware's integrity level, as I demonstrated last 
month: 

chml <file or folder name> -i:m 

After you lower the malware's integrity level to Medium, 
you can delete the malware. Of course, you'd need to add 
Chml to the Windows PE disk to use this solution, because 
the tool isn't built into Windows PE. Alternatively, you could 
just run Chml from a USB drive. 

The second way to run Chml with the System integrity 
level is to go to Sysinternals (http://www.sysinternals.com) , 
download the latest version of Psexec (psexec.exe), and 
exploit its new Vista-compatible -s switch, which lets you 
run any command in the context of the System account. 
So, for example, if you have Chml in a folder called C:\stuff 
and you want to lower the integrity level of a folder named 
C:\malware, you'd type 

psexec -s C:\mystuff\chml.exe C:\malware -i:m 

The third way to run Chml with the System integrity level 
is to use the new Task Scheduler, whose command-line inter¬ 
face lets you run any application in the context of the System 
account. For example, you can type (all on one line) 

schtasks /create /tn dochml Ir u "nt authority\system" 
/sc once /st 09:28 /tr “C:\mystuff\chml.exe 
C:\malware -i:m -b" 

In this command, the /create option creates a new task. 
The /tn dochml option names the task dochml The /ru "nt 
authorityVsystem" option instructs Task Scheduler to run 
the command in the context of the System account. The /sc 
once /st 09:28 portion of the command runs the task once, 
at 9:28. (Unfortunately, Schtasks doesn't support the option 
to "do it now," as the Task Scheduler GUI does.) 

Paranoid Much? 

Yes, worrying about malware with a System integrity level 
might seem the height of paranoia. However, you're now 
equipped to defeat that malware—should it appear. ^ 
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Top 10 


Windows Server Virtualization Features 

Microsoft’s new technology makes VMs even more attractive 


V irtualization is one of today's fastest-changing 
technologies, and nowhere is that more evident 
than in Microsoft's new product, Windows Server 
Virtualization (code-named Viridian), which will be avail¬ 
able as part of Windows Server 2008 (formerly code-named 
Longhorn). Microsoft is promising to deliver the release to 
manufacturing version of Windows Server Virtualization 
within 180 days of the release of Windows 2008. (A pre¬ 
release version of Viridian will be included with the initial 
shipping version of Windows 2008.) Here are some of the 
coolest features you can expect from Microsoft's next wave 
of virtualization technology. 

New Windows-based management con¬ 
sole— The first thing you'll notice is the 
modernized management console. The 
new console, based on Microsoft Manage¬ 
ment Console 3.0, includes wizards for creating virtual 
machines (VMs) and a task pane for performing manage¬ 
ment functions. 

9 Standard VHD image— Windows Server Virtu¬ 
alization supports Microsoft's Virtual Hard Disk 
(VHD) format, so you can use VM images from 
Microsoft Virtual Server 2005 and Microsoft Vir¬ 
tual PC with the new product. 

8 Support for live backups using VSS— An impor¬ 
tant high-availability feature included with Win¬ 
dows Server Virtualization is the ability to back 
up running VMs using Microsoft Volume Shadow 
Copy Service. VSS takes a live snapshot of the VM's state 
without interrupting its operation. 

7 Support for guest clustering— Windows Server 
Virtualization supports clustering guests either 
within the same node, which can be implemented 
using a shared SCSI adapter, or across different 
nodes, which requires a shared-storage solution that can be 
implemented using either an iSCSI or Fibre Channel SAN. 

6 Support for host clustering— Host-clustering 
support is especially valuable for server consolida¬ 
tion environments. If the host goes down in such 
an environment, all the VMs running on that host 
will be unavailable. Host clustering lets you create a cluster 
resource containing the host's VMs. In the event of a failure, 
you can move the cluster resource to a backup node and 
restart all the VMs in about 10 seconds. 


Support for snapshots— Windows Server Virtual¬ 
ization's support for snapshots helps bring the VM 
support in Windows 2008 up to the level offered 
by VMware's products. Snapshots let you make 
multiple point-in-time copies of the VM state and easily roll 
back to a previous state. 

4 Support for 32GB memory per VM— With Virtual 
Server 2005 R2, VMs were limited to 3.6GB of 
memory. The virtual memory support for Win¬ 
dows Server Virtualization has been bumped to 
as much as 32GB per VM, allowing for much greater seal- 
ability. Remember, the host can't allocate more memory to 
a VM than it has available as physical RAM. 

3 Support for 8-way virtual SMP— Another impor¬ 
tant scalability feature is the new support for virtual 
SMR Unlike Virtual Server 2005, which supports 
only a single processor per VM, Windows Server 
Virtualization supports up to 8-way virtual SMP. The host 
must have at least as many physical CPUs (or cores) as you 
want Virtual-SMP machines to support. 

2 x64 and virtualization-enabled hardware— In 

keeping with Microsoft's move toward 64-bit com¬ 
puting, Windows Server Virtualization requires an 
x64-compatible processor and the processor-based 
virtualization capabilities of either the Intel VT or AMD Virtu¬ 
alization processor. The product won't run on systems that 
don't support hardware virtualization. 


I | Hypervisor-based architecture- 

windows Server Virtualization brings 
with it an entirely new virtualiza¬ 
tion architecture. Like VMware ESX 
Server, Windows Server Virtualiza- 
' tion uses a hypervisor-based ker¬ 
nel that runs directly on the system 
hardware. Unlike ESX Server, the Windows Server 
Virtualization hypervisor is ultralightweight because 
it doesn't contain any device drivers or third-party 
code. Windows Server Virtualization also includes a 
new Virtual Service Provider/Virtual Service Client 
architecture that enables higher performance for VMs. 
Xen-enabled Linux can run as a guest OS and benefit 
from this new high-performance architecture. ^ 
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B efore purchasing InfoStreet’s StreetSmart business productivity Software 
as a Service (Saas), we had been paying the ongoing costs associated with 
using IT-managed software. Choosing StreetSmart was a fairly easy deci¬ 
sion—it saves us money. In addition to being affordable, StreetSmart is very robust 
and functional. Because customers can develop tools that can be integrated into 
StreetSmart, we can be creative and innovative with internal communications. The 
product is very easy to use and lets us communicate seamlessly from coast to coast. 
In addition to being far more user friendly and much less expensive than those 
of other SaaS providers we looked at, InfoStreet's services offer more features and 
tools that benefit my team. The InfoStreet sales team also went above and beyond 


Reader: 

Don Nora 
Vice president of 
technology and CIO 

Product: 

StreetSmart 

Company: 

InfoStreet 

Contact: 

htto://www.infostreet 

.com 


to allay concerns I had, and StreetSmart impressed 
me at every turn with regard to functionality, ease 

of use, scalability, security, upgradeability, flexibility, cost, and future-proofing our 
network. 

To me, StreetSmart’s biggest benefit has been the dramatic improvement in 
communication that it's fostered within our organization. The applications we use 
include shared calendaring (which automatically accounts for time-zone differences 
when we schedule conference calls for various offices), file sharing tools, workflows, 
intranet portals, and StreetSmart's KnowledgeBase application, which lets every¬ 
one in our organization post and look up information needed to do his or her job. 
StreetSmart has helped us come together as a team and operate as one: No longer 
are we isolated offices separated by distance, but a single highly effective team. 
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Keep Email Up and Running 

Zenprise for BlackBerry, Zenprise for Exchange 


A s senior server engi¬ 
neer for Alameda 
County, California, 
I manage the county's email 
infrastructure, which in addi¬ 
tion to Exchange includes 
BlackBerry Enterprise Server 
(BES) and more than 200 
BlackBerrys. Communications 
are vital in day-to-day county 


Reader: 

Paul Hinsberg 
Senior server engineer 

Product: 

Zenprise for BlackBerry, 
Zenprise for Exchange 

Company: 

Zenprise 

Contact: 

http://www.zenprise.com 


operations, never mind during 
emergencies, so keeping email up and running is critical. 

Alert capabilities are an expected feature of monitoring software, but 
Zenprise for Exchange and Zenprise for BlackBerry also collect infor¬ 
mation from our email infrastructure, automatically detecting systems 
such as DNS, Exchange, and BlackBerry servers. Zenprise warns us 
when something might go down before it actually does. For example, 
days before the nationwide BlackBerry outage in April, Zenprise notified 
us of intermittent connection activity, and it flagged exactly when the 


"Keeping my users’ email up and 
running is critical, which is why 
we chose Zenprise.” 

—Paul Pinsberg, senior server engineer 

BlackBerry service outage occurred. More important, it let us know that 
the failure was on Research in Motion's network, not on ours. 

Zenprise's proactive monitoring lets us correlate multiple symptoms 
into a single diagnosis, tells us exactly what's wrong, and gives us a step- 
by-step resolution plan for fixing the problem. Resolution plans are 
well thought-out, contain reference material for further information, 
and automatically track steps as you take them. As a result, less expe¬ 
rienced engineers can address problems that previously demanded 
my attention. 
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Privilege to all users by securely elevating privileges for authorized applications without end 
user input, pop-ups or consent dialogues. Empower network administrators to set centralized 
security policy. Built for Windows 2000, XP, Server 2003, and Vista; integrated with Active 
Directory and applied through Group Policy. 

For a free pilot installation call 1.603.610.4250 or visit www.beyondtrust.com . 


FINALIST 




0 beyondtrust 


Windows and Vista are trademarks of Microsoft Corporation. Other company, product and service names may 
be trademarks of their respective owners. © 2007 BeyondTrust Corporation. All rights reserved. 






What’s Hot 


Continuously Back Up Laptops and Desktops 

Atempo LiveBackup 


W e purchased Atem- 
po's LiveBackup, a 
continuous data 
protection (CDP) solution for 
PCs, for three reasons. First, 

LiveBackup's mature product 
pricing model charges only for 
the client, not the server. This 
pricing model lets me set up 
new sites and move users to 
them at no additional license 

charge. Second, the product's self-serve recovery options let end users 
retrieve their own files and force backups whenever they like. Third, the 
solution doesn't allow Help desk technicians to access data on client 
machines, which helps us avoid the many legal ramifications of some¬ 
one accessing and reading a hard disk without permission. 

LiveBackup also lets me set up rules on the back end, meaning 
that at the server level, I can define different levels of backup for dif¬ 
ferent users. What's also great about LiveBackup is that it protects my 


Reader: 

Shawn Wilde 
CIO 

Product: 

Atempo LiveBackup 

Company: 

Atempo 

Contact: 

http://www.atempo.com 


"It protects my users while 
running completely 
transparently.” 

—Shawn Wilde* CIO 


users while running completely transparently, sort of like antivirus 
software. 

Editor's Note: Atempo LiveBackup helps companies protect Windows 
laptops and desktops and includes several other features not mentioned 
above, such as data compression, redundant-file elimination, and 
technology that eliminates redundant blocks of data to minimize the 
product's use of network bandwidth. LiveBackup also includes a tool 
for performing full bare-metal disaster recovery. ^ 

InstantDoc ID 96034 



Performance Monitoring Software for 
Websites, Applications and Infrastructure 

Continuous website, server and infrastructure monitoring 
is critical to ensuring that your website and web-based 
applications are available and performing with acceptable 
response times. 


Web Watch Bot 5.0 features 

- Real-time, end-to-end view 
of performance 

- Visibility into complex web- 
based applications and 
underlying infrastructure 

- Ability to detect problems 
before they impact the 
end user 

- Agentless installation - 
get up and running fast 






E3E 


fcj 



www. Web Wa tchBo t. com 


Exclamation 


1-267-895-1726 Direct 
1-866-489-0111 Toll Free US and Canada 


Are 1m IIS Servers Under Atleek? 


Block all unwanted IIS 
traffic with ThreatSentry 


& *! privacy **1*“ 

| threa tsentry 

~2 IliliM* toiiikii hr HdimtiM. 



download free trial 


ii i r. i ir. i 


1 IIS host ips & application firewall 
’ stop known, new & internal threats 
’ overcome lapses in patch management 
1 reinforce regulatory compliance 


sales@privocyware.com « www.privacYware.com • 732.212.81 10 x235 
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E-mail Free^QQfc®ITWti rihDogs.com 
with ycrnr 
mailing address 
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IT Automation 


Guaranteed * Supported * Complete 


BUSINESS 

focused 


EXCHANGE 

REPORTING 


WinBatch automates Windows PCs Fast 


AppAnalyzer for Exchange 

Microsoft Exchange reporting made easy 


Simple scripting 
800+ practical examples 
2,500 case studies 

30 special purpose libraries and extenders 
Winbotch gives you Ihepawm that only 
fop notch ta + or VB developers con enjoy, 
bat taka away the campfexity. 

KM - Ntm&rk s^ivkts Manager 

Free Trial Copy sate^win batch .com 

www.winbatch.com i-soo-762-8383 

yu-fl^ tin^rsflififirsai MGrMy-&3Ck guarani« YVilpofl WiwtowWaine. irx; 


Over 80 Pre-built Reports 

• Individual User Message Traffic Details • Distribution List 
Activity • Outlook Web Access Analysis • Message Traffic and 
Storage by Active Directory Attributes (e.g. Department, Cost 
Center) • Public Folder Usage • Message Delivery Times • 
Mailbox Quota History • Mailbox Content Scanning 

Easy, Intuitive User Interface 
Low-impact Deployment (No Agent Required) 

Highly Scalable (100,000+ mailboxes) 

Unlimited 30-day Trial Available 


Full access, one month at a time. 


WITH YOUR MONTHLY ONLINE PASS YOU WILL GET: 

■ Interactive blog and forum 


The latest digital issue of 
Windows IT Pro 

24/7 online access to over 
10,000 Windows IT Pro 
magazine articles 

Updates and news alerts on the 
absolute latest industry 
developments 


I Product comparisons and 
recommendations 

I Exclusive chats with the Editors 
and industry experts 

I and much much more! 


Sign up today for only US$5.95 per 
month and start getting quick answers 
to ALL of your IT questions! 


Windows 


800.793.5697 

www.windowsitpro.com/MonthlyPass 


Imagine... 


Realtime replication 


. Optimum'performance monitoring 
. Complete backup and restore 

• Seamless migrations 

• •, v-rr! 

b n 'w ■ ■ 

m m f :‘ : 

. • *..</:■/* J; 


esxRanger Professional ™ • esxMigrator 1 * 
esxCharter” • esxReplicator" 


vizioncore 

Enhancing VMware Infrastructure 


For more information visit www.vizioncore.com 
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DIRECTORY OF SERVICES 

Windows IT Pro Network 


Ad Index 


Search our network of sites dedicated to hands-on tech¬ 
nical information for IT professionals. 

http://www.windowsitpro.com 

Support 

Join our discussion forums. Post your questions and get 
advice from authors, vendors, and other IT professionals. 

http://www.windowsitpro.com/forums 

News 

Check out the current news and information about 
Microsoft Windows technologies. 

http://www.wininformant.com 

EMAIL NEWSLETTERS 

Get free NT/2000/XP/2003 news, commentary, and tips 
delivered automatically to your desktop. 

Windows IT Pro UPDATE 
Vista UPDATE 

Windows Tips & Tricks UPDATE 
Win Info Daily UPDATE 
.NET Briefing 

Exchange & Outlook UPDATE 
Scripting Central 
Security UPDATE 

SQL Server 2005Express UPDATE 
SQL Server Magazine UPDATE 
Storage UPDATE 
Windows IT Library UPDATE 
Connected Home EXPRESS 

http://www.windowsitpro.com/email 

PRO VIP ACCESS 

Exchange & Outlook Pro VIP 

Discover smart solutions for Exchange and 
Outlook administrators. 

http://www.exchangeprovip.com 

Scripting Pro VIP 

Learn how to create more powerful scripts and get tips 
for automating those tedious administrative tasks. 

http://www.scriptingprovip.com 

Security Pro VIP 

Discover practical, how-to advice for avoiding and 
solving security problems. 

http://www.securityprovip.com 

RELATED PRODUCTS 

Custom Reprint Services 

Order reprints of Windows IT Pro articles. Contact Joel 
Kirk a t jkirk@penton.com. 

Super CD/VIP 

Get exclusive access to all of our print publications, includ¬ 
ing Windows IT Pro, via the new, banner-free VIP Web site. 

http://www.windowsitpro.com/sub/vip 

Article Archive CD 

Access every article ever printed in Windows IT Pro 
magazine since September 1995 with this portable and 
speedy tool. 

http://www.windowsitpro.com/sub/cd 
SQL SERVER MAGAZINE 

Explore the hottest new features of SQL Server, and 
discover practical tips and tools. 

http://www.sqlmag.com 

www.windowsitpro.com 
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Ctrl+Alt+Del BY JASON BOVBERG 


Email your funny screenshots, favorite end-user moments, and humorous IT-related pics to rumors@windowsitpro.com. 
If we use your submission, you’ll receive a Ctrl+Alt+Del coffee mug. 


A Whole Bunch of Nothin’ 


ii 


Cannot create AaJog box (Insufficient Memory) 


3 / Add more memory to 
m view memory error 

OK, I’ll close it again 


OK 


The Following applications should be closed before continuing the install: 


“Ell 



Abort 


Retry 


Ignore 


Microsoft Management Console 


Let’s dig into the 
^ meaning of it all 



A query in the void 



DOGBERT'S TECH SUPPORT 


TRY TURNING OFF 
YOUR ROUTER, YOUR 
MODEM, AND YOUR 
COMPUTER. 



by Scott Adams 


NOW TURN OFF YOUR 
AIR CONDITIONING, 
YOUR LIGHTS, AND 
YOUR WATER HEATER. 
UNPLUG YOUR MICRO- 
WAVE AND DEFROST 
YOUR REFRIGERATOR. 



YOU'RE 
VERY 
THOROUGH. 


CANCEL YOUR 
GARBAGE 
SERVICE, 
RENOUNCE 
YOUR CITI¬ 
ZENSHIP, AND 
YANK OUT 
YOUR PHONE. 
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Special Operations Software™ 



Take Group Policy based 
systems management 
A to the next level 


White Paper: The Power of Group Policy 


...Given the power of Group Policy, you'd think Microsoft would have done more to make it the 
very best management toot on the market for Windows systems. But, right now, there are still 
failings in the Microsoft GPO strategy. For example, (f you want to inventory your systems, you 
have to use a different tool. That's a bit odd since AD already contains information about 
every single computer system in your network. Also, when deploying software through AD, 
there is no way to tell whether a software deployment actually occurred—except, of course, if 
you actually connect to the PC. That's because AD does not include any software deployment 
reporting features. And, if you deploy 2007 Microsoft Office System to your PCs, you'll find 
that you can't control how much bandwidth it takes or when the deployment begins. Your best 
bet is to start the deployment at night and hope it doesn't kill your network, It seems unfortu¬ 
nate that you would have to go through the entire process of designing and deploying your 
Active Directory and then find you need to perform another deployment just to implement a 
systems management tool. Fortunately, there is help.. 

About the Authors 

Danielle Ruest and Nelson Ruest, MCSE, MCT, Microsoft MVP, are 
IT professionals specializing in systems administration, migration 
planning, software management and architecture design. They are 
also authors of multiple books. 


DOWNLOAD the entire ’’The Power of Group Policy ' 1 White Paper at 

w ww.speco pssoft.com / wi nitpro 


1 


Microsoft 

ISV/joftware Solutions 

Call us at 866-857 5325 (Toll free) 

Partner 

www.specopssoft.com 



© ?D07 Special Operations Software. All fights reserved. Specops inventory. Speoops Deploy and Specnps Password Pol toy are registered 
trademarks. AU other trademarks are the trademarks of their respective companies. 
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ry bimreromt l /iHriEigerrifirn and. 
n Sficiirity Explorer for S-lriSirfiPoil 

Improve Security of SharePoint Resources 

Comprehensive, centralized permissions management enables administrators to lock down SharePoint 
resources and eliminate over-exposed libraries, lists and documents. 


Meet Compliance Objectives Faster 

Reduce the time needed to implement security standards on SharePoint and Windows file servers, 
demonstrate compliance and maintain security management 


Increase Ad m ins it rati ve Productivity 

Save time with centralized, consolidated management features. With Security Explorer for SharePoint, 
administrators can manage multiple SharePoint servers from a single console, and make use of innovative 
features like comprehensive security search, security backup and restore, and permission cloning. 


Some things just aren’t meant to be shared 


Used bubble gum Your socal security number 


Th e keys to you r new ca r Yo u r tooth brush 


The remote 


Download a free 30-day trial version 

www. Seri pt Logic, com/sharesec urely 


Point, Click. Done l 
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